Description
The Pixabay Images plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the pixabay_upload function in all versions up to, and including, 3.4. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-06-18
Score: 8.8 High
EPSS: 1.4% Low
KEV: No
Impact: Remote Code Execution via arbitrary file upload
Action: Immediate Patch
AI Analysis

Impact

The Pixabay Images plugin for WordPress allows authenticated users with Author or higher access to upload arbitrary files because the pixabay_upload function lacks file type validation. The missing validation permits malicious files, including scripts, to be stored on the web server, which could lead to remote code execution. This is a classic example of CWE-434.

Affected Systems

Byrev’s Pixabay Images plugin for WordPress, versions up to and including 3.4, is vulnerable. Any site using a WordPress installation with this plugin version is at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating high severity, and an EPSS score of 1%, reflecting a moderate likelihood of exploitation. It is not listed in CISA’s KEV catalog. Authenticated attackers exploiting this flaw would likely do so via normal WordPress login as an Author or higher role, after which they can upload malicious files to trigger code execution.

Generated by OpenCVE AI on April 21, 2026 at 20:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Pixabay Images plugin to the latest version (3.5 or newer) where file type validation has been added.
  • If an upgrade is not immediately possible, remove upload capabilities from the Author role or any role that does not require file uploads by adjusting WordPress capabilities or using a plugin that limits file permissions.
  • Enforce file type restrictions on the server or with a security plugin to block non‑image uploads.
  • Continuously monitor the upload directory for unexpected or executable files and audit access logs for suspicious activity.

Generated by OpenCVE AI on April 21, 2026 at 20:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18639 The Pixabay Images plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the pixabay_upload function in all versions up to, and including, 3.4. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
History

Wed, 18 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Jun 2025 02:30:00 +0000

Type Values Removed Values Added
Description The Pixabay Images plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the pixabay_upload function in all versions up to, and including, 3.4. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title Pixabay Images <= 3.4 - Authenticated (Author+) Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:49:28.917Z

Reserved: 2025-05-07T10:18:02.747Z

Link: CVE-2025-4413

cve-icon Vulnrichment

Updated: 2025-06-18T14:57:39.430Z

cve-icon NVD

Status : Deferred

Published: 2025-06-18T03:15:25.560

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4413

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:15:44Z

Weaknesses