Description
The Inline Image Upload for BBPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension validation in the file uploading functionality in all versions up to, and including, 1.1.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. This may be exploitable by unauthenticated attackers when the "Allow guest users without accounts to create topics and replies" setting is enabled.
Published: 2025-03-29
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in the Inline Image Upload for BBPress plugin is caused by the omission of file extension validation during uploads, allowing attackers to upload files of any type. When authenticated as a user with Subscriber level or higher, an attacker can place arbitrary files on the server, which could subsequently be executed, leading to full remote code execution. The plugin also exposes a secondary risk for unauthenticated users when the site configuration permits guest posting, granting the same upload capability without authentication.

Affected Systems

WordPress sites that have installed the Inline Image Upload for BBPress plugin version 1.1.19 or earlier are potentially affected. This includes any site using that plugin or older releases, regardless of user role distribution. The issue arises from the plugin’s upload handler itself and is not limited to a specific WordPress core version.

Risk and Exploitability

The CVSS score of 8.8 places this flaw in the high severity range, indicating significant impact. The EPSS score of less than 1% suggests that, although serious, the likelihood of exploitation is relatively low. The vulnerability is not listed in the CISA KEV catalog, and no active exploit has been confirmed in the wild. Attackers would need to authenticate as a Subscriber or higher, or rely on guest posting settings, to exploit the flaw. The combination of high severity and low exploitation probability highlights the importance of addressing the issue promptly to prevent potential remote code execution.

Generated by OpenCVE AI on April 20, 2026 at 23:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Inline Image Upload for BBPress plugin to a version where file extension validation is implemented (any release newer than 1.1.19).
  • Restrict upload permissions so that only trusted user roles, such as administrators, can upload files through the plugin.
  • Disable the "Allow guest users without accounts to create topics and replies" setting if guest posting is not required.

Generated by OpenCVE AI on April 20, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8674 The Inline Image Upload for BBPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the file uploading functionality in all versions up to, and including, 1.1.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. This may be exploitable by unauthenticated attackers when the "Allow guest users without accounts to create topics and replies" setting is enabled.
History

Mon, 07 Apr 2025 18:45:00 +0000

Type Values Removed Values Added
Description The Inline Image Upload for BBPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the file uploading functionality in all versions up to, and including, 1.1.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. This may be exploitable by unauthenticated attackers when the "Allow guest users without accounts to create topics and replies" setting is enabled. The Inline Image Upload for BBPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension validation in the file uploading functionality in all versions up to, and including, 1.1.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. This may be exploitable by unauthenticated attackers when the "Allow guest users without accounts to create topics and replies" setting is enabled.
References

Mon, 31 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 29 Mar 2025 07:15:00 +0000

Type Values Removed Values Added
Description The Inline Image Upload for BBPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the file uploading functionality in all versions up to, and including, 1.1.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. This may be exploitable by unauthenticated attackers when the "Allow guest users without accounts to create topics and replies" setting is enabled.
Title Inline Image Upload for BBPress <= 1.1.19 - Authenticated (Subscriber+) Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:26.728Z

Reserved: 2025-03-05T21:23:55.045Z

Link: CVE-2025-2006

cve-icon Vulnrichment

Updated: 2025-03-31T13:16:59.170Z

cve-icon NVD

Status : Deferred

Published: 2025-03-29T07:15:17.220

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2006

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:30:16Z

Weaknesses