Description
The Droip plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the make_google_font_offline() function in all versions up to, and excluding, 2.5.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-07-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution potential via arbitrary file upload
Action: Patch Immediately
AI Analysis

Impact

The Droip plugin for WordPress allows authenticated users with Subscriber-level access or higher to upload arbitrary files because the make_google_font_offline() function lacks proper file type validation. Uploaded files may then be executed on the server, enabling remote code execution. This vulnerability is classified as CWE-434, representing an unrestricted upload of a file with a dangerous type. The impact is that an attacker who has legitimate forum or blog ownership credentials can leverage the upload mechanism to place malicious code on the web server, compromising confidentiality, integrity, and availability of the site and potentially the underlying server.

Affected Systems

Affects the Droip plugin for WordPress, version 2.5.1 and earlier. The plugin is distributed via the WordPress ecosystem and is available from the official plugin repository and the Droip website. Any WordPress installation that has the Droip plugin at a version that is less than 2.5.2 is vulnerable, regardless of other security settings, because the vulnerability resides purely in the plugin's file upload routine.

Risk and Exploitability

The CVSS score of 8.8 marks this vulnerability as high severity. The EPSS score of < 1% indicates that, while the probability of an exploit in the wild is currently low, the existence of the flaw remains a significant risk. The vulnerability is not listed in the CISA KEV catalog, so no mandatory mitigations are in place, but the situation demands careful attention. An attacker must be authenticated as a Subscriber or higher user to exploit the flaw, which limits the attack surface to users with legitimate or compromised credentials on the target WordPress site.

Generated by OpenCVE AI on April 20, 2026 at 20:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Droip plugin to version 2.5.2 or later, ensuring the fixed file type validation is applied.
  • If an upgrade is not immediately possible, disable file uploads for all roles except administrators, or apply a server‑side whitelist that rejects non‑image file types for the make_google_font_offline() endpoint.
  • Implement additional monitoring to detect unexpected file creation in the uploads directory, and configure the web server to deny execution of uploaded files outside the designated images folder.

Generated by OpenCVE AI on April 20, 2026 at 20:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22576 The Droip plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the make_google_font_offline() function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The Droip plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the make_google_font_offline() function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The Droip plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the make_google_font_offline() function in all versions up to, and excluding, 2.5.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title Droip <= 2.2.0 - Authenticated (Subscriber+) Arbitrary File Upload Droip < 2.5.2 - Authenticated (Subscriber+) Arbitrary File Upload

Mon, 28 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:themeum:droip:*:*:*:*:*:wordpress:*:*

Fri, 25 Jul 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Themeum
Themeum droip
Wordpress
Wordpress wordpress
Vendors & Products Themeum
Themeum droip
Wordpress
Wordpress wordpress

Fri, 25 Jul 2025 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 25 Jul 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Droip plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the make_google_font_offline() function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title Droip <= 2.2.0 - Authenticated (Subscriber+) Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Themeum Droip
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:27:57.185Z

Reserved: 2025-06-06T19:39:29.622Z

Link: CVE-2025-5831

cve-icon Vulnrichment

Updated: 2025-07-25T11:42:44.120Z

cve-icon NVD

Status : Modified

Published: 2025-07-25T07:15:26.143

Modified: 2026-04-08T19:24:23.280

Link: CVE-2025-5831

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:15:06Z

Weaknesses