Description
The ProjectList plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 0.3.0. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-11-25
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The ProjectList plugin for WordPress contains a missing file type validation flaw that allows authenticated users with Editor-level access or higher to upload any file to the site’s server. An attacker who can place a malicious script in the uploaded file could achieve remote code execution on the host, compromising confidentiality, integrity and availability of the web application and underlying operating system.

Affected Systems

This vulnerability afflicts the ProjectList plugin by the vendor ov3rkll, specifically all releases up to and including version 0.3.0. Site owners running any of these affected plugin releases are at risk.

Risk and Exploitability

The vulnerability scores a CVSS 7.2, indicating a high level of severity. The EPSS score is below 1 %, suggesting that currently the likelihood of exploitation is low, and the issue is not listed in CISA’s KEV catalog. Because it requires authenticated access with Editor or higher privileges, the attack vector is internal or through compromised credentials. Once an attacker uploads a malicious payload, the lack of file type filtering can allow code execution if the uploaded file is placed in a writable directory that is served by the web server.

Generated by OpenCVE AI on April 22, 2026 at 00:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ProjectList plugin to a version newer than 0.3.0 as soon as an official patch is available.
  • If an upgrade is not yet possible, temporarily deactivate the ProjectList plugin or remove the upload functionality until a fix is released.
  • Restrict the upload capability by ensuring that only Administrators, not Editors, can add files, and configure the server to prevent execution of files in upload directories.

Generated by OpenCVE AI on April 22, 2026 at 00:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 26 Nov 2025 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 25 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 25 Nov 2025 07:45:00 +0000

Type Values Removed Values Added
Description The ProjectList plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 0.3.0. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title ProjectList <= 0.3.0 - Authenticated (Editor+) Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:01:49.616Z

Reserved: 2025-11-18T19:29:31.740Z

Link: CVE-2025-13376

cve-icon Vulnrichment

Updated: 2025-11-25T15:01:27.390Z

cve-icon NVD

Status : Deferred

Published: 2025-11-25T08:15:49.877

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13376

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:30:04Z

Weaknesses