CVE-2025-60218
Deferred Deferred - Pending Action
Subscriber Arbitrary File Upload in PT Luxa Addons

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Subscriber Arbitrary File Upload in PT Luxa Addons <= 1.2.2 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2025-60218
EUVD
EUVD-2025-210224
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack pt_luxa_addons to 1.2.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in PT Luxa Addons Plugin allows attackers to upload arbitrary malicious files, potentially leading to unauthorized access and control over the affected website.

Such unauthorized access and potential data breaches can compromise the confidentiality, integrity, and availability of sensitive data, which are critical requirements under common standards and regulations like GDPR and HIPAA.

Therefore, if exploited, this vulnerability could lead to non-compliance with these regulations due to failure to protect personal or sensitive data adequately.

Executive Summary

CVE-2025-60218 is a critical vulnerability in the WordPress PT Luxa Addons Plugin versions 1.2.2 and below that allows arbitrary file uploads.

This flaw enables attackers with only Subscriber-level privileges to upload malicious files, such as backdoors, to the affected website.

Exploiting this vulnerability can lead to unauthorized access and control over the website.

The vulnerability is highly dangerous with a CVSS score of 9.9 and falls under the OWASP Top 10 category A3: Injection.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to your website by attackers.

Attackers can upload malicious files such as backdoors, which can be used to maintain persistent access, manipulate website content, steal data, or launch further attacks.

Given the high CVSS score of 9.9, it is likely to be targeted in mass-exploit campaigns, increasing the risk of compromise.

Immediate action such as updating the plugin or applying mitigation rules is recommended to prevent exploitation.

Mitigation Strategies

The vulnerability in PT Luxa Addons Plugin versions 1.2.2 and below allows arbitrary file uploads by users with Subscriber-level privileges, which can lead to unauthorized access.

Immediate mitigation steps include updating the plugin to a newer version if available.

If no official patch is available yet, applying the temporary mitigation rule provided by Patchstack is recommended to block attacks until a permanent fix is released.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-60218. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart