Description
The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_qr_code() function in all versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-12-06
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via arbitrary file upload
Action: Patch Immediately
AI Analysis

Impact

The Flex QR Code Generator plugin contains an arbitrary file upload flaw caused by missing file type validation in the update_qr_code() function. An attacker can upload any file type, potentially placing a malicious script on the site. This weakness is classified as CWE-434 and can enable remote code execution if the uploaded file is executed by the server or the application.

Affected Systems

The vulnerability affects the WordPress plugin Flex QR Code Generator by ajitdas and applies to all releases up to and including version 1.2.7. Sites running these versions are exposed unless the plugin is removed or replaced with a newer, non‑vulnerable release.

Risk and Exploitability

With a CVSS score of 9.8 the flaw is considered critical. The EPSS score of less than 1% indicates a low current exploitation rate, and the vulnerability is not listed in the CISA KEV catalog. Attackers can launch the exploit via unauthenticated HTTP requests to the plugin’s upload endpoint, which is generally accessible to all visitors.

Generated by OpenCVE AI on April 21, 2026 at 17:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Flex QR Code Generator plugin to the latest version that removes the arbitrary file upload flaw.
  • If an update is unavailable, permanently disable the update_qr_code() function or replace the plugin with a secure alternative.
  • Configure the web server and the application to allow only trusted file types for uploads, rejecting all others.

Generated by OpenCVE AI on April 21, 2026 at 17:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_qr_code() function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_qr_code() function in all versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title Flex QR Code Generator <= 1.2.6 - Unauthenticated Arbitrary File Upload Flex QR Code Generator <= 1.2.7 - Unauthenticated Arbitrary File Upload
References

Tue, 09 Dec 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 08 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 06 Dec 2025 06:00:00 +0000

Type Values Removed Values Added
Description The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_qr_code() function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title Flex QR Code Generator <= 1.2.6 - Unauthenticated Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:47:41.398Z

Reserved: 2025-11-03T21:49:33.430Z

Link: CVE-2025-12673

cve-icon Vulnrichment

Updated: 2025-12-08T21:10:59.403Z

cve-icon NVD

Status : Deferred

Published: 2025-12-06T06:15:50.233

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12673

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:45:16Z

Weaknesses