CVE-2025-69403 - Vulnerability Details

- WordPress Bravis Addons plugin <= 1.3.0 - Arbitrary File Upload vulnerability

Description

Unrestricted Upload of File with Dangerous Type vulnerability in Bravis-Themes Bravis Addons bravis-addons allows Using Malicious Files.This issue affects Bravis Addons: from n/a through <= 1.3.0.

Published: 2026-02-20

Score: 9.9 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Bravis‑Themes Bravis Addons plugin up through version 1.3.0 suffers from an unrestricted upload vulnerability that permits an attacker to upload files with dangerous content. Because the plugin does not enforce file type validation or size limits, an adversary can upload executable scripts, web shells or cross‑site scripting payloads. Successful exploitation could lead to remote code execution, data exfiltration or denial of service against the WordPress site.

Affected Systems

Any WordPress site that has Bravis Addons installed with a version no later than 1.3.0 is affected. The plugin vendor, Bravis‑Themes, acknowledges that all releases from the first public launch up to 1.3.0 lack proper upload filtering. Sites migrating to the official WordPress repository remain vulnerable until they update.

Risk and Exploitability

The CVSS score of 9.9 indicates critical severity. The EPSS score is under 1%, suggesting that exploit attempts are rare, and the vulnerability is not currently listed in the CISA KEV catalog. Nevertheless, attackers can leverage common file upload techniques; the threat is still substantial because the flaw originates in the plugin core, not merely an external dependency. The attack vector is inferred to be web‑based, typically through the plugin’s upload interface, without requiring privileged credentials.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Bravis-Themes

Bravis Addons

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.3.0

No data.

Vendor Product Confidence Versions

Bravis-themes

Bravis Addons

100%

Version	Status	Scheme	Platform
`[0,1.1.9]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Bravis Addons to a release newer than 1.3.0 to remove the upload flaw.
Configure WordPress to allow only safe file types and enforce strict MIME type checks on uploads.
Deploy a web application firewall rule set that blocks uploads of executable or script files and monitor the upload directory for unauthorized files.

Generated by OpenCVE AI on April 28, 2026 at 09:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00063.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/bravis-addons/vulnerability/wordpress-bravis-addons-plugin-1-1-9-arbitrary-file-upload-vulnerability?_s_id=cve

History

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Unrestricted Upload of File with Dangerous Type vulnerability in Bravis-Themes Bravis Addons bravis-addons allows Using Malicious Files.This issue affects Bravis Addons: from n/a through <= 1.1.9.	Unrestricted Upload of File with Dangerous Type vulnerability in Bravis-Themes Bravis Addons bravis-addons allows Using Malicious Files.This issue affects Bravis Addons: from n/a through <= 1.3.0.
Title	WordPress Bravis Addons plugin <= 1.1.9 - Arbitrary File Upload vulnerability	WordPress Bravis Addons plugin <= 1.3.0 - Arbitrary File Upload vulnerability
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 25 Feb 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

Mon, 23 Feb 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Bravis-themes Bravis-themes bravis Addons Wordpress Wordpress wordpress
Vendors & Products		Bravis-themes Bravis-themes bravis Addons Wordpress Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		Unrestricted Upload of File with Dangerous Type vulnerability in Bravis-Themes Bravis Addons bravis-addons allows Using Malicious Files.This issue affects Bravis Addons: from n/a through <= 1.1.9.
Title		WordPress Bravis Addons plugin <= 1.1.9 - Arbitrary File Upload vulnerability
Weaknesses		CWE-434
References		https://patchstack.com/database/Wordpress/Plugin/bravis-addons/vulnerability/wordpress-bravis-addons-plugin-1-1-9-arbitrary-file-upload-vulnerability?_s_id=cve

Subscriptions

Bravis-themes Bravis Addons

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-02-20T15:46:57.715Z

Updated: 2026-04-28T21:00:32.060Z

Reserved: 2025-12-31T20:13:23.066Z

Link: CVE-2025-69403

Vulnrichment

Updated: 2026-02-25T14:45:50.208Z

NVD

Status : Deferred

Published: 2026-02-20T16:22:26.157

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69403

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T09:30:26Z

Weaknesses

CWE-434

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object