Description
Unrestricted Upload of File with Dangerous Type vulnerability in Ajar Productions Ajar in5 Embed ajar-productions-in5-embed allows Upload a Web Shell to a Web Server.This issue affects Ajar in5 Embed: from n/a through <= 3.1.5.
Published: 2025-05-23
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unrestricted upload of files with dangerous types in the WordPress plugin Ajar in5 Embed. It allows an attacker to upload files such as web shells onto the web server, effectively giving the attacker the ability to execute arbitrary code on the host. This flaw is classified as CWE‑434 and can directly compromise the confidentiality, integrity, and availability of the affected site if exploited.

Affected Systems

The WordPress plugin Ajar in5 Embed from Ajar Productions is affected in all versions released through 3.1.5, including earlier releases. Sites running any of these versions are potentially vulnerable.

Risk and Exploitability

The CVSS score of 10 indicates a critical severity and the potential for remote code execution. The EPSS score of less than 1% suggests a very low probability of active exploitation at the time of this analysis, and the vulnerability is not yet listed in the CISA KEV catalog. An attacker would typically use the plugin’s upload interface to submit a malicious file, a step that likely requires web access to the administrative interface; no additional privileges are mentioned in the description, so the attack vector is inferred to be remote.

Generated by OpenCVE AI on April 30, 2026 at 19:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ajar in5 Embed to the latest available version that resolves the vulnerability.
  • If an immediate upgrade is not feasible, disable the plugin’s upload capability or limit accepted file types to non‑executable formats.
  • Implement server-level hardening, such as disabling PHP execution in the uploads directory or configuring .htaccess rules to block execution of uploaded files.

Generated by OpenCVE AI on April 30, 2026 at 19:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28109 Unrestricted Upload of File with Dangerous Type vulnerability in Ajar Productions Ajar in5 Embed allows Upload a Web Shell to a Web Server. This issue affects Ajar in5 Embed: from n/a through 3.1.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in Ajar Productions Ajar in5 Embed allows Upload a Web Shell to a Web Server. This issue affects Ajar in5 Embed: from n/a through 3.1.5. Unrestricted Upload of File with Dangerous Type vulnerability in Ajar Productions Ajar in5 Embed ajar-productions-in5-embed allows Upload a Web Shell to a Web Server.This issue affects Ajar in5 Embed: from n/a through <= 3.1.5.
Title WordPress Ajar in5 Embed <= 3.1.5 - Arbitrary File Upload Vulnerability WordPress Ajar in5 Embed plugin <= 3.1.5 - Arbitrary File Upload Vulnerability
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Fri, 23 May 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in Ajar Productions Ajar in5 Embed allows Upload a Web Shell to a Web Server. This issue affects Ajar in5 Embed: from n/a through 3.1.5.
Title WordPress Ajar in5 Embed <= 3.1.5 - Arbitrary File Upload Vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Ajar Productions Ajar In5 Embed
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:47.896Z

Reserved: 2025-05-07T10:45:05.653Z

Link: CVE-2025-47642

cve-icon Vulnrichment

Updated: 2025-05-23T17:02:47.514Z

cve-icon NVD

Status : Deferred

Published: 2025-05-23T13:15:41.767

Modified: 2026-04-23T15:30:39.893

Link: CVE-2025-47642

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:30:26Z

Weaknesses