Description
The WP3D Model Import Viewer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_import_file() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-12-13
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution potential
Action: Apply Patch
AI Analysis

Impact

The WP3D Model Import Viewer plugin for WordPress allows authenticated users with Author-level access or higher to upload arbitrary files due to missing file‑type validation, a vulnerability classified as CWE‑434: Unvalidated File Type. This flaw can be exploited to place malicious files on the server, which may enable remote code execution or other destructive actions against the affected site.

Affected Systems

WordPress sites running the WP3D Model Import Viewer plugin, versions up to and including 1.0.7.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating high severity, while the EPSS score is below 1%, suggesting the likelihood of exploitation is low but non‑zero. It is not listed in the CISA KEV catalog. Attackers need only authenticated Author‑level or higher credentials to exploit the flaw, after which uploaded files could be executed or used to compromise the server.

Generated by OpenCVE AI on April 28, 2026 at 10:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest WP3D Model Import Viewer update, if available, to remove the arbitrary file upload flaw.
  • Remove or disable the plugin if it is unnecessary for site functionality.
  • Enforce strict file‑type validation on the server, rejecting non‑image or disallowed file types, to mitigate future upload‑related threats.

Generated by OpenCVE AI on April 28, 2026 at 10:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 13 Dec 2025 04:45:00 +0000

Type Values Removed Values Added
Description The WP3D Model Import Viewer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_import_file() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title WP3D Model Import Viewer <= 1.0.7 - Authenticated (Contributor+) Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:45:04.101Z

Reserved: 2025-11-12T20:54:54.977Z

Link: CVE-2025-13094

cve-icon Vulnrichment

Updated: 2025-12-15T15:21:18.013Z

cve-icon NVD

Status : Deferred

Published: 2025-12-13T16:16:47.293

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13094

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T10:30:29Z

Weaknesses