CVE-2025-31002 - Vulnerability Details

- WordPress Squeeze plugin <= 1.6 - Arbitrary File Upload vulnerability

Description

Unrestricted Upload of File with Dangerous Type vulnerability in Bogdan Bendziukov Squeeze squeeze allows Using Malicious Files.This issue affects Squeeze: from n/a through <= 1.6.

Published: 2025-04-09

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Squeeze plugin contains an unrestricted file upload vulnerability that allows an attacker to upload files with dangerous types, potentially executing malicious code on the server. This weakness, identified as CWE‑434, can compromise the confidentiality, integrity, and availability of the affected WordPress site. If a file with executable code is uploaded, the attacker can run arbitrary programs, extract data, or take control of the system.

Affected Systems

WordPress installations running the Squeeze plugin by Bogdan Bendziukov, version 1.6 or earlier. The issue affects all sites that have not upgraded beyond version 1.6 and still rely on the default upload functionality of the plugin.

Risk and Exploitability

The CVSS score of 9.1 highlights a high severity. The EPSS score of less than 1% suggests a low probability of widespread exploitation, and the vulnerability is not listed in the CISA KEV catalog. Likely exploitation requires access to the plugin’s upload page through the WordPress admin interface. The attack vector is inferred to be a remote authenticated user who can upload files; once the malicious file is stored, it may be executed or accessed to gain further privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Bogdan Bendziukov

Squeeze

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.6

No data.

Vendor	Product	Confidence	Versions
Bogdan Bendziukov	Squeeze	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Squeeze plugin to the latest version that removes the vulnerable upload path.
If an update is unavailable, delete the plugin and remove its directories from the WordPress installation.
Configure the WordPress upload settings or use a security plugin to restrict allowed file types and enforce MIME type checks.

Generated by OpenCVE AI on April 30, 2026 at 23:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-10667	Unrestricted Upload of File with Dangerous Type vulnerability in Bogdan Bendziukov Squeeze allows Using Malicious Files. This issue affects Squeeze: from n/a through 1.6.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00379.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/squeeze/vulnerability/wordpress-squeeze-plugin-1-6-arbitrary-file-upload-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Unrestricted Upload of File with Dangerous Type vulnerability in Bogdan Bendziukov Squeeze allows Using Malicious Files. This issue affects Squeeze: from n/a through 1.6.	Unrestricted Upload of File with Dangerous Type vulnerability in Bogdan Bendziukov Squeeze squeeze allows Using Malicious Files.This issue affects Squeeze: from n/a through <= 1.6.
References	https://patchstack.com/database/wordpress/plugin/squeeze/vulnerability/wordpress-squeeze-plugin-1-6-arbitrary-file-upload-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/squeeze/vulnerability/wordpress-squeeze-plugin-1-6-arbitrary-file-upload-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}`

Wed, 09 Apr 2025 16:30:00 +0000

Type	Values Removed	Values Added
Description		Unrestricted Upload of File with Dangerous Type vulnerability in Bogdan Bendziukov Squeeze allows Using Malicious Files. This issue affects Squeeze: from n/a through 1.6.
Title		WordPress Squeeze plugin <= 1.6 - Arbitrary File Upload vulnerability
Weaknesses		CWE-434
References		https://patchstack.com/database/wordpress/plugin/squeeze/vulnerability/wordpress-squeeze-plugin-1-6-arbitrary-file-upload-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Bogdan Bendziukov Squeeze

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-04-09T16:10:21.173Z

Updated: 2026-04-28T16:12:03.328Z

Reserved: 2025-03-26T09:22:48.162Z

Link: CVE-2025-31002

Vulnrichment

Updated: 2025-04-09T17:52:24.975Z

NVD

Status : Deferred

Published: 2025-04-09T17:15:32.623

Modified: 2026-04-23T15:27:30.683

Link: CVE-2025-31002

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-30T23:45:03Z

Weaknesses

CWE-434

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object