Description
Unrestricted Upload of File with Dangerous Type vulnerability in jumpdemand 4ECPS Web Forms 4ecps-webforms allows Upload a Web Shell to a Web Server.This issue affects 4ECPS Web Forms: from n/a through <= 0.2.18.
Published: 2025-01-09
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unrestricted upload vulnerability in the WordPress 4ECPS Web Forms plugin allows attackers to upload files of any type. By uploading a web shell or other executable code, an adversary can gain remote code execution on the web server, compromising confidentiality, integrity, and availability of the site and any back‑end services. The weakness is classified as CWE‑434: Unrestricted Upload of File with Dangerous Type.

Affected Systems

The vulnerability affects the jumpdemand 4ECPS Web Forms plugin for WordPress. All releases up to and including version 0.2.18 are susceptible. Site owners who have not upgraded beyond this version are at risk.

Risk and Exploitability

The CVSS score of 10.0 indicates a critical threat. Although the EPSS score is below 1%, meaning the probability of exploitation is low, the lack of a KEV listing does not reduce the urgency of remediation. Attackers can exploit the flaw via the plugin’s file‑upload interface; the attack vector is inferred to be from any authenticated or unauthenticated user who can access that interface, depending on the site’s configuration.

Generated by OpenCVE AI on May 1, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest plugin update or a version newer than 0.2.18, ensuring the fix for unrestricted file upload is in place.
  • Reconfigure the plugin or WordPress media settings to allow only whitelisted MIME types and file extensions; block execution of uploaded files.
  • Move the upload directory outside the web‑root or serve it with a non‑executable configuration (e.g., add an .htaccess deny rule or disable directory listing).

Generated by OpenCVE AI on May 1, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2785 Unrestricted Upload of File with Dangerous Type vulnerability in jumpdemand 4ECPS Web Forms allows Upload a Web Shell to a Web Server.This issue affects 4ECPS Web Forms: from n/a through 0.2.18.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in jumpdemand 4ECPS Web Forms allows Upload a Web Shell to a Web Server.This issue affects 4ECPS Web Forms: from n/a through 0.2.18. Unrestricted Upload of File with Dangerous Type vulnerability in jumpdemand 4ECPS Web Forms 4ecps-webforms allows Upload a Web Shell to a Web Server.This issue affects 4ECPS Web Forms: from n/a through <= 0.2.18.
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Fri, 10 Jan 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Jan 2025 15:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in jumpdemand 4ECPS Web Forms allows Upload a Web Shell to a Web Server.This issue affects 4ECPS Web Forms: from n/a through 0.2.18.
Title WordPress 4ECPS Web Forms Plugin <= 0.2.18 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Jumpdemand 4ecps Web Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T22:36:58.535Z

Reserved: 2025-01-07T10:22:25.314Z

Link: CVE-2025-22504

cve-icon Vulnrichment

Updated: 2025-01-10T20:23:37.133Z

cve-icon NVD

Status : Deferred

Published: 2025-01-09T16:16:27.110

Modified: 2026-04-23T15:23:06.833

Link: CVE-2025-22504

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T22:00:14Z

Weaknesses