Description
The Qyrr – simply and modern QR-Code creation plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the blob_to_file() function in all versions up to, and including, 2.0.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-09-30
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file upload potentially enabling remote code execution
Action: Immediate Patch
AI Analysis

Impact

The Qyrr – simply and modern QR-Code creation plugin for WordPress contains a flaw in the blob_to_file() routine that fails to validate uploaded file types. An authenticated user with Contributor or higher privileges can submit any file, thereby gaining the ability to place executable content on the web root. This creates a potential vector for remote code execution if the attacker uploads a crafted script or webshell. The issue relies on missing server-side validation, a classic case of unsafe file upload practice.

Affected Systems

WordPress sites that have installed wpchill’s Qyrr – simply and modern QR-Code creation plugin version 2.0.7 or earlier are affected. The vulnerability resides within the plugin’s core upload logic, so any site using those versions, regardless of other themes or plugins, is at risk.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate risk, while the EPSS score is below 1% and the flaw is not listed in CISA’s KEV catalog. The attack vector requires authentication; any user with Contributor-level role or higher can trigger the flaw. Once an arbitrary file is uploaded, an attacker may achieve remote code execution depending on server configuration. As long as contributors retain access to the upload functionality, the threat remains realistic for affected sites.

Generated by OpenCVE AI on April 22, 2026 at 16:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Qyrr plugin to the latest released version, which is expected to remove the missing file type validation in blob_to_file()
  • If a quick upgrade is not possible, revoke or restrict Contributor and higher roles from accessing the upload endpoint – for example by disabling that capability or disabling the upload feature for non-administrators
  • Consider deactivating or uninstalling the Qyrr plugin if it is not essential to site functionality

Generated by OpenCVE AI on April 22, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31695 The Qyrr – simply and modern QR-Code creation plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the blob_to_file() function in all versions up to, and including, 2.0.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Tue, 30 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Sep 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Patrickposner
Patrickposner qyrr
Wordpress
Wordpress wordpress
Vendors & Products Patrickposner
Patrickposner qyrr
Wordpress
Wordpress wordpress

Tue, 30 Sep 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Qyrr – simply and modern QR-Code creation plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the blob_to_file() function in all versions up to, and including, 2.0.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title Qyrr – simply and modern QR-Code creation <= 2.0.7 - Authenticated (Contributor+) Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Patrickposner Qyrr
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:18.367Z

Reserved: 2025-09-04T17:46:09.848Z

Link: CVE-2025-10000

cve-icon Vulnrichment

Updated: 2025-09-30T13:18:07.795Z

cve-icon NVD

Status : Deferred

Published: 2025-09-30T11:37:36.833

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10000

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:00:12Z

Weaknesses