Description
Subscriber Arbitrary File Upload in PT Luxa Addons <= 1.2.2 versions.
Published: 2026-06-17
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability, classified as CWE‑434, allows the PT Luxa Addons plugin to accept arbitrary files because the upload process lacks proper validation. If an attacker uploads a script or executable and the web server does not block execution, the uploaded content can run with the server’s privileges, providing remote code execution or other destructive actions. The high CVSS score of 9.9 reflects the critical severity of this flaw.

Affected Systems

WordPress sites that run the PT Luxa Addons plugin version 1.2.2 or earlier are affected. No operating‑system, PHP‑version, or user‑role restrictions are mentioned, so any installation of the affected plugin versions is vulnerable.

Risk and Exploitability

Based on the description, it is inferred that the upload endpoint can be abused without authentication or with minimal privileges, making it accessible to a wide range of attackers. The likely attack vector is the plugin’s upload interface exposed over HTTP, allowing a malicious file to be placed in a web‑accessible directory. The EPSS score is not available, so the exact exploitation probability is unknown, but the CVSS score indicates a very high impact. The vulnerability is not listed in the CISA KEV catalog at this time.

Generated by OpenCVE AI on June 18, 2026 at 14:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the PT Luxa Addons plugin to a version newer than 1.2.2.
  • If an immediate update is not possible, deactivate or uninstall the plugin to eliminate the upload functionality.
  • Configure the web server or a web application firewall to accept only permitted file types and to prevent execution of uploaded files.

Generated by OpenCVE AI on June 18, 2026 at 14:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wplocker
Wplocker pt Luxa Addons
Vendors & Products Wordpress
Wordpress wordpress
Wplocker
Wplocker pt Luxa Addons

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Subscriber Arbitrary File Upload in PT Luxa Addons <= 1.2.2 versions.
Title WordPress PT Luxa Addons Plugin <= 1.2.2 - Arbitrary File Upload Vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Wordpress Wordpress
Wplocker Pt Luxa Addons
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T13:42:11.006Z

Reserved: 2025-09-25T15:34:23.206Z

Link: CVE-2025-60218

cve-icon Vulnrichment

Updated: 2026-06-17T13:42:03.293Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:53Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type