Description
Unrestricted Upload of File with Dangerous Type vulnerability in dkszone Celestial Aura allows Using Malicious Files.This issue affects Celestial Aura: from n/a through 2.2.
Published: 2025-05-19
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to upload files of dangerous types without restriction. When such files are uploaded, they can be executed on the server, leading to complete compromise of the site’s confidentiality, integrity, and availability. The weakness is a failure to validate or control upload content, classified as CWE-434.

Affected Systems

This flaw affects the dkszone Celestial Aura WordPress plugin for all releases up to and including version 2.2.

Risk and Exploitability

With a CVSS score of 9.9 the vulnerability is considered critical. Although the current EPSS indicates a very low probability of exploitation, the lack of any restriction on file type makes the attack surface sizable. The flaw is not listed in the CISA KEV catalog, yet an attacker can exploit it remotely by sending a crafted request containing a malicious file through the plugin’s upload interface. The potential impact of a successful exploit is full site takeover.

Generated by OpenCVE AI on May 2, 2026 at 01:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Celestial Aura plugin to the latest available version that removes the unrestricted file upload flaw.
  • Disable the upload feature or configure the plugin to reject dangerous file types such as .php, .exe, and other executable extensions until a patch is applied.
  • Employ a web application firewall or security plugin that blocks or sanitizes uploaded content to enforce strict MIME‑type validation.

Generated by OpenCVE AI on May 2, 2026 at 01:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27729 Unrestricted Upload of File with Dangerous Type vulnerability in dkszone Celestial Aura allows Using Malicious Files.This issue affects Celestial Aura: from n/a through 2.2.
History

Tue, 28 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in dkszone Celestial Aura celestial-aura allows Using Malicious Files.This issue affects Celestial Aura: from n/a through <= 2.2. Unrestricted Upload of File with Dangerous Type vulnerability in dkszone Celestial Aura allows Using Malicious Files.This issue affects Celestial Aura: from n/a through 2.2.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in dkszone Celestial Aura allows Using Malicious Files.This issue affects Celestial Aura: from n/a through 2.2. Unrestricted Upload of File with Dangerous Type vulnerability in dkszone Celestial Aura celestial-aura allows Using Malicious Files.This issue affects Celestial Aura: from n/a through <= 2.2.
References

Mon, 19 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 19 May 2025 18:15:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in dkszone Celestial Aura allows Using Malicious Files.This issue affects Celestial Aura: from n/a through 2.2.
Title WordPress Celestial Aura plugin <= 2.2 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:42.371Z

Reserved: 2025-02-17T11:50:29.987Z

Link: CVE-2025-26892

cve-icon Vulnrichment

Updated: 2025-05-19T18:19:46.282Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T18:15:28.163

Modified: 2026-04-28T19:29:47.493

Link: CVE-2025-26892

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:45:26Z

Weaknesses