CVE-2025-27282 - Vulnerability Details

- WordPress Theme File Duplicator Plugin <= 1.3 - Arbitrary File Upload vulnerability

Description

Unrestricted Upload of File with Dangerous Type vulnerability in rockgod100 Theme File Duplicator theme-file-duplicator allows Using Malicious Files.This issue affects Theme File Duplicator: from n/a through <= 1.3.

Published: 2025-04-17

Score: 9.9 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An attacker can exploit the Theme File Duplicator plugin for WordPress, up to version 1.3, to upload any file type without restriction. This flaw allows a malicious actor to place executable code on the web server, potentially leading to full compromise of the site’s confidentiality, integrity, and availability.

Affected Systems

The vulnerability affects the rockgod100 Theme File Duplicator plugin for WordPress. Any installation of the plugin with a version of 1.3 or earlier is potentially impacted. No specific patch release details are provided in the available data.

Risk and Exploitability

The CVSS score is 9.9, indicating critical severity. The EPSS score is below 1 percent, suggesting low probability of exploitation at this time, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector involves using the plugin’s file upload functionality, which an attacker can trigger either as an authenticated user or by abusing the upload endpoint. Successful exploitation could result in remote code execution if a PHP file is uploaded and executed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

rockgod100

Theme File Duplicator

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.3

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Theme File Duplicator to the latest available version to remove the vulnerability.
If an update cannot be performed, remove or disable the plugin to eliminate the upload interface.
If disabling is not an option, configure a file‑type filter that blocks dangerous file extensions and enforces strict MIME‑type validation before accepting uploads.

Generated by OpenCVE AI on May 1, 2026 at 09:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-11616	Unrestricted Upload of File with Dangerous Type vulnerability in rockgod100 Theme File Duplicator allows Using Malicious Files. This issue affects Theme File Duplicator: from n/a through 1.3.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00327.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/theme-file-duplicator/vulnerability/wordpress-theme-file-duplicator-plugin-1-3-arbitrary-file-upload-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Unrestricted Upload of File with Dangerous Type vulnerability in rockgod100 Theme File Duplicator allows Using Malicious Files. This issue affects Theme File Duplicator: from n/a through 1.3.	Unrestricted Upload of File with Dangerous Type vulnerability in rockgod100 Theme File Duplicator theme-file-duplicator allows Using Malicious Files.This issue affects Theme File Duplicator: from n/a through <= 1.3.
References	https://patchstack.com/database/wordpress/plugin/theme-file-duplicator/vulnerability/wordpress-theme-file-duplicator-plugin-1-3-arbitrary-file-upload-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/theme-file-duplicator/vulnerability/wordpress-theme-file-duplicator-plugin-1-3-arbitrary-file-upload-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

Thu, 17 Apr 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 17 Apr 2025 16:00:00 +0000

Type	Values Removed	Values Added
Description		Unrestricted Upload of File with Dangerous Type vulnerability in rockgod100 Theme File Duplicator allows Using Malicious Files. This issue affects Theme File Duplicator: from n/a through 1.3.
Title		WordPress Theme File Duplicator Plugin <= 1.3 - Arbitrary File Upload vulnerability
Weaknesses		CWE-434
References		https://patchstack.com/database/wordpress/plugin/theme-file-duplicator/vulnerability/wordpress-theme-file-duplicator-plugin-1-3-arbitrary-file-upload-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-04-17T15:48:10.700Z

Updated: 2026-04-28T16:11:46.936Z

Reserved: 2025-02-21T16:45:10.729Z

Link: CVE-2025-27282

Vulnrichment

Updated: 2025-04-17T17:40:59.097Z

NVD

Status : Deferred

Published: 2025-04-17T16:15:34.753

Modified: 2026-04-23T15:26:17.563

Link: CVE-2025-27282

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T09:30:14Z

Weaknesses

CWE-434

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object