CVE-2025-5395 - Vulnerability Details

- WordPress Automatic Plugin - AI content generator and auto poster plugin <= 3.115.0 - Authenticated (Author+) Arbitrary File Upload

Description

The WordPress Automatic Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'core.php' file in all versions up to, and including, 3.115.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Published: 2025-06-11

Score: 8.8 High

EPSS: 1.4% Low

KEV: No

Impact:

Action:

Analysis

Impact

The WordPress Automatic Plugin is vulnerable to arbitrary file uploads due to insufficient file type validation in the core.php file. Authenticated attackers of Author level or higher can upload any file, which may result in remote code execution. This weakness is identified as CWE-434, highlighting a lack of proper file type verification.

Affected Systems

The vulnerability affects ValvePress WordPress Automatic Plugin versions up to and including 3.115.0. It applies to any WordPress site that has this plugin installed and running the listed versions.

Risk and Exploitability

With a CVSS score of 8.8, the vulnerability is considered high severity. The EPSS score of 1% indicates a low but non‑zero probability that it will be exploited before a patch is applied. The acceptance of the KEV status confirms it is not a widely documented exploitation scenario yet. The attack requires valid Author‑level credentials; once authenticated, the attacker can upload malicious files and potentially execute code on the server.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ValvePress

WordPress Automatic Plugin

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.115.0

No data.

Vendor	Product	Confidence	Versions
Valvepress	Wordpress Automatic Plugin	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the WordPress Automatic Plugin to version 3.116 or later, which removes the file type validation flaw.
Revoke or restrict Author‑level users that do not require the ability to upload content, ensuring only trusted administrators can upload files.
Configure the web server or use a security plugin to enforce strict file type checks (e.g., allow only image MIME types) and block PHP or executable file uploads to the plugin’s upload directories.

Generated by OpenCVE AI on April 21, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-18086	The WordPress Automatic Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'core.php' file in all versions up to, and including, 3.115.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01355.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://codecanyon.net/item/wordpress-automatic-plugin/1904470#item-description__changelog
https://www.wordfence.com/threat-intel/vulnerabilities/id/57be67fd-8485-495f-b5e9-6eb52af945b7?source=cve

History

Sun, 13 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00264}`	epss `{'score': 0.00305}`

Wed, 11 Jun 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 11 Jun 2025 06:45:00 +0000

Type	Values Removed	Values Added
Description		The WordPress Automatic Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'core.php' file in all versions up to, and including, 3.115.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title		WordPress Automatic Plugin - AI content generator and auto poster plugin <= 3.115.0 - Authenticated (Author+) Arbitrary File Upload
Weaknesses		CWE-434
References		https://codecanyon.net/item/wordpress-automatic-plugin/1904470#item-description__changelog https://www.wordfence.com/threat-intel/vulnerabilities/id/57be67fd-8485-495f-b5e9-6eb52af945b7?source=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Valvepress Wordpress Automatic Plugin

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-06-11T06:39:46.773Z

Updated: 2026-04-08T16:54:27.657Z

Reserved: 2025-05-30T16:08:21.847Z

Link: CVE-2025-5395

Vulnrichment

Updated: 2025-06-11T13:22:01.373Z

NVD

Status : Deferred

Published: 2025-06-11T07:15:24.800

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5395

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T20:30:27Z

Weaknesses

CWE-434

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object