Description
The Starter Templates plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.4.41. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-12-06
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

The Starter Templates plugin allows an authenticated user with author-level access to upload files that bypass the plugin’s file type validation by using a double extension, recognizing the file as a valid WXR (WordPress eXtended RSS) file while actually uploading a different payload. This flaw permits arbitrary files to be written to the server’s file system, which can lead to remote code execution if the uploaded file is later executed or exploited. The vulnerability is exemplified by the CWE‑434 (Unrestricted Upload of File with Dangerous Type) weakness that underpins the flaw.

Affected Systems

WordPress sites running the Starter Templates plugin, version 4.4.41 or earlier, from the vendor brainstormforce. This includes all installations of the Starter Templates – AI‑Powered Templates for Elementor & Gutenberg plugin where the author or higher role is present.

Risk and Exploitability

With a CVSS score of 8.8, the vulnerability is classified as high severity. The EPSS score of less than 1% suggests that it is not widely exploited in the wild at present, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the attack vector is authentication‑based: an attacker must be able to log in as an author or higher. Once authenticated, the attacker can upload malicious files that may be executed on the server, potentially allowing full control of the site. The combination of high severity and the requirement for legitimate credentials means that organizations should prioritize the update of the plugin as soon as possible to mitigate this risk.

Generated by OpenCVE AI on April 21, 2026 at 17:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Starter Templates to version 4.4.42 or later, which removes the double‑extension upload bypass.
  • If an upgrade is not immediately possible, remove the plugin or disable the WXR upload feature to prevent file uploads from users with author-level access.
  • Review and harden file‑upload controls, ensuring that only whitelisted MIME types are accepted and that double‑extension files are rejected.

Generated by OpenCVE AI on April 21, 2026 at 17:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Dec 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Brainstormforce
Brainstormforce starter Templates
Wordpress
Wordpress wordpress
Vendors & Products Brainstormforce
Brainstormforce starter Templates
Wordpress
Wordpress wordpress

Mon, 08 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 06 Dec 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Starter Templates plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.4.41. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title Starter Templates <= 4.4.41 - Authenticated (Author+) Arbitrary File Upload via WXR Upload Bypass
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Brainstormforce Starter Templates
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:49:08.517Z

Reserved: 2025-11-12T13:09:09.667Z

Link: CVE-2025-13065

cve-icon Vulnrichment

Updated: 2025-12-08T21:25:42.529Z

cve-icon NVD

Status : Deferred

Published: 2025-12-06T10:16:05.090

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13065

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:45:16Z

Weaknesses