Description
The Astra Security Suite – Firewall & Malware Scan plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient validation of remote URLs for zip downloads and an easily guessable key in all versions up to, and including, 0.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-11-11
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file upload leading to remote code execution
Action: Immediate Patch
AI Analysis

Impact

The Astra Security Suite – Firewall & Malware Scan plugin for WordPress allows unauthenticated users to upload arbitrary files through the plugin’s remote zip download feature. Insufficient validation of the remote URL and a guessable key in all releases up to 0.2 enable attackers to place executable files on the server, which can subsequently allow remote code execution. The weakness corresponds to CWE‑285: Improper Privileges.

Affected Systems

Any WordPress installation running Astra Security Suite – Firewall & Malware Scan version 0.2 or earlier is vulnerable. The issue exists in all releases through including 0.2. Users of later community or paid tiers are not affected as the upload capability was removed or patched.

Risk and Exploitability

The CVSS base score of 8.1 indicates high impact, while the EPSS score of less than 1 % suggests a low probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Attackers can abuse the plugin’s upload endpoint from any network location; authentication is not required to trigger the flaw, so the attack surface covers the entire public web server.

Generated by OpenCVE AI on April 21, 2026 at 01:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Astra Security Suite – Firewall & Malware Scan to the latest available release (≥ 0.3) which removes the vulnerable upload mechanism.
  • If an upgrade is not immediately possible, delete or completely uninstall the plugin from the WordPress site to eliminate the risk.
  • Temporarily block external URL fetching or restrict the plugin’s upload functionality via firewall rules or .htaccess to prevent remote clients from triggering the download process until a patch is applied.

Generated by OpenCVE AI on April 21, 2026 at 01:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 12 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 11 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Astra Security Suite – Firewall & Malware Scan plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient validation of remote URLs for zip downloads and an easily guessable key in all versions up to, and including, 0.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title Astra Security Suite – Firewall & Malware Scan <= 0.2 - Unauthenticated Arbitrary File Upload
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:13.448Z

Reserved: 2025-10-08T18:45:06.191Z

Link: CVE-2025-11521

cve-icon Vulnrichment

Updated: 2025-11-12T14:56:15.049Z

cve-icon NVD

Status : Deferred

Published: 2025-11-11T04:15:41.797

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11521

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:45:24Z

Weaknesses