Description
Cross-Site Request Forgery (CSRF) vulnerability in webandprint AR For WordPress ar-for-wordpress allows Upload a Web Shell to a Web Server.This issue affects AR For WordPress: from n/a through <= 8.34.
Published: 2025-09-26
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Cross‑Site Request Forgery vulnerability in the AR For WordPress plugin allows an attacker to upload a web shell to the web server, effectively providing remote code execution capability. The weakness is identified as CWE‑352 and is present in all releases of the plugin up to version 8.34.

Affected Systems

The vulnerability affects the webandprint AR For WordPress plugin for WordPress sites. All installed versions from the earliest releases through 8.34 are vulnerable, regardless of WordPress version.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.6, indicating a high severity level. The EPSS score of less than 1 % suggests the likelihood of exploitation is currently low, but the attack risks are severe. The CMS is not listed in the CISA KEV catalog. The likely attack path involves a user authenticated to the WordPress dashboard being tricked into loading a crafted request that triggers the upload function, which then stores a malicious file on the server. Successful exploitation would enable an attacker to execute arbitrary code on the host.

Generated by OpenCVE AI on April 30, 2026 at 05:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AR For WordPress to a version newer than 8.34 or apply the vendor‑supplied patch that removes the upload capability for arbitrary files.
  • If an upgrade is not immediately possible, restrict the upload feature to users with administrative privileges or disable it entirely for lower‑privileged roles.
  • Add or verify CSRF token validation on the upload endpoint; if the plugin does not already implement this, apply a nonce check or use a security plugin to enforce CSRF protection.

Generated by OpenCVE AI on April 30, 2026 at 05:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31249 Cross-Site Request Forgery (CSRF) vulnerability in webandprint AR For WordPress allows Upload a Web Shell to a Web Server. This issue affects AR For WordPress: from n/a through 7.98.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in webandprint AR For WordPress ar-for-wordpress allows Upload a Web Shell to a Web Server.This issue affects AR For WordPress: from n/a through <= 8.36. Cross-Site Request Forgery (CSRF) vulnerability in webandprint AR For WordPress ar-for-wordpress allows Upload a Web Shell to a Web Server.This issue affects AR For WordPress: from n/a through <= 8.34.
Title WordPress AR For WordPress plugin <= 8.36 - Cross Site Request Forgery (CSRF) vulnerability WordPress AR For WordPress plugin <= 8.34 - Cross Site Request Forgery (CSRF) vulnerability

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in webandprint AR For WordPress ar-for-wordpress allows Upload a Web Shell to a Web Server.This issue affects AR For WordPress: from n/a through <= 8.34. Cross-Site Request Forgery (CSRF) vulnerability in webandprint AR For WordPress ar-for-wordpress allows Upload a Web Shell to a Web Server.This issue affects AR For WordPress: from n/a through <= 8.36.
Title WordPress AR For WordPress plugin <= 8.34 - Cross Site Request Forgery (CSRF) vulnerability WordPress AR For WordPress plugin <= 8.36 - Cross Site Request Forgery (CSRF) vulnerability
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in webandprint AR For WordPress allows Upload a Web Shell to a Web Server. This issue affects AR For WordPress: from n/a through 7.98. Cross-Site Request Forgery (CSRF) vulnerability in webandprint AR For WordPress ar-for-wordpress allows Upload a Web Shell to a Web Server.This issue affects AR For WordPress: from n/a through <= 8.34.
Title WordPress AR For WordPress Plugin <= 7.98 - Cross Site Request Forgery (CSRF) Vulnerability WordPress AR For WordPress plugin <= 8.34 - Cross Site Request Forgery (CSRF) vulnerability
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Webandprintdesign
Webandprintdesign ar For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Webandprintdesign
Webandprintdesign ar For Wordpress
Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 08:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in webandprint AR For WordPress allows Upload a Web Shell to a Web Server. This issue affects AR For WordPress: from n/a through 7.98.
Title WordPress AR For WordPress Plugin <= 7.98 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Webandprintdesign Ar For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:55.863Z

Reserved: 2025-09-25T15:28:03.107Z

Link: CVE-2025-60156

cve-icon Vulnrichment

Updated: 2025-09-26T14:11:17.260Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T09:15:44.570

Modified: 2026-04-28T19:34:38.980

Link: CVE-2025-60156

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T06:00:12Z

Weaknesses