Description
The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the echo_generate_featured_image() function in all versions up to, and including, 5.4.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-05-17
Score: 9.8 Critical
EPSS: 2.1% Low
KEV: No
Impact: Remote code execution via arbitrary file upload
Action: Immediate patch
AI Analysis

Impact

The Echo RSS Feed Post Generator plugin for WordPress allows file uploads without validating the file type in the echo_generate_featured_image() function, which is present in all versions up to and including 5.4.8.1. This missing validation enables an attacker who does not have to authenticate to the WordPress site to upload any file they choose to the server. Because the uploaded content can be executed by the web server, an attacker could place a malicious script and then run it, giving them the ability to execute arbitrary code on the host. The flaw is a classic example of CWE‑434, unvalidated file upload.

Affected Systems

The affected product is CodeRevolution’s Echo RSS Feed Post Generator plugin for WordPress. All releases through 5.4.8.1 are vulnerable; any installation of the plugin with a version number of 5.4.8.1 or older is at risk.

Risk and Exploitability

The vulnerability has a CVSS score of 9.8, indicating critical severity. The EPSS score of 2% shows that attacks are unlikely but the probability is non‑zero, and the issue is not yet listed in CISA's KEV catalog. Attackers do not need network access to the WordPress admin interface; they only need to be able to reach the upload endpoint, typically a publicly accessible URL, making the attack straightforward once the plugin is present.

Generated by OpenCVE AI on April 21, 2026 at 20:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Echo RSS Feed Post Generator to a version newer than 5.4.8.1 or install a patch that enforces file type validation.
  • If an upgrade is not immediately possible, block unauthenticated access to the plugin’s upload endpoint using .htaccess rules or a security plugin that restricts file uploads to authenticated users.
  • Configure the server so that the directory used for uploads is not executable and monitor server logs for suspicious upload attempts.

Generated by OpenCVE AI on April 21, 2026 at 20:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15566 The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the echo_generate_featured_image() function in all versions up to, and including, 5.4.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
History

Mon, 19 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 17 May 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the echo_generate_featured_image() function in all versions up to, and including, 5.4.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title Echo RSS Feed Post Generator <= 5.4.8.1 - Unauthenticated Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:00:51.207Z

Reserved: 2025-05-06T19:34:58.959Z

Link: CVE-2025-4391

cve-icon Vulnrichment

Updated: 2025-05-19T15:43:01.077Z

cve-icon NVD

Status : Deferred

Published: 2025-05-17T06:15:19.140

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4391

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:00:35Z

Weaknesses