Description
The WP Dropzone plugin for WordPress is vulnerable to authenticated arbitrary file upload in all versions up to, and including, 1.1.0 via the `ajax_upload_handle` function. This is due to the chunked upload functionality writing files directly to the uploads directory before any file type validation occurs. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-11-18
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file upload potentially leading to remote code execution
Action: Patch Now
AI Analysis

Impact

The WP Dropzone plugin for WordPress contains an authentication‑bound arbitrary file upload flaw in all releases up to 1.1.0, where the ajax_upload_handle routine writes uploaded chunks directly to the uploads directory before validating the file type. This flaw can allow an attacker who can log in with subscriber privileges or higher to place any file on the server’s filesystem, and if the file is executable or contains malicious code it may be possible for the attacker to achieve remote code execution on the impacted site.

Affected Systems

WordPress sites that have the WP Dropzone plugin installed at version 1.1.0 or earlier are affected. The vulnerability specifically applies to any subscription of the plugin on the site, so site administrators, editors, and other roles with subscriber‑level access could exploit the flaw.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, but the EPSS score of less than 1% suggests exploit attempts are currently rare. Because exploitation requires user authentication, an attacker must compromise or compromise the credentials of a legitimate user; without that, the attack is not feasible. The vulnerability is not listed in the CISA KEV catalog, meaning it is not known to have been actively exploited on a wide scale at the time of this analysis. Nonetheless, the potential for remote code execution warrants prompt mitigation.

Generated by OpenCVE AI on April 21, 2026 at 01:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Dropzone to the latest available version or remove the plugin entirely if it is not needed
  • If an immediate upgrade is not possible, disable the upload functionality in the plugin or delete the ajax_upload_handle reference to prevent file writes
  • Adjust the file system permissions of the WordPress uploads directory so it is not writable by the web server user except for legitimate upload processes

Generated by OpenCVE AI on April 21, 2026 at 01:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 19 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 18 Nov 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 18 Nov 2025 08:45:00 +0000

Type Values Removed Values Added
Description The WP Dropzone plugin for WordPress is vulnerable to authenticated arbitrary file upload in all versions up to, and including, 1.1.0 via the `ajax_upload_handle` function. This is due to the chunked upload functionality writing files directly to the uploads directory before any file type validation occurs. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title WP Dropzone <= 1.1.0 - Authenticated (Subscriber+) Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:15:41.461Z

Reserved: 2025-11-05T20:09:11.254Z

Link: CVE-2025-12775

cve-icon Vulnrichment

Updated: 2025-11-18T21:44:08.379Z

cve-icon NVD

Status : Deferred

Published: 2025-11-18T09:15:48.903

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12775

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:45:24Z

Weaknesses