Description
The BerqWP – Automated All-In-One Page Speed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the store_javascript_cache.php file in all versions up to, and including, 2.2.42. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-08-01
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The BerqWP plugin allows arbitrary files to be uploaded because store_javascript_cache.php does not perform file type validation. An unauthenticated attacker can place malicious code on the server; the vulnerability falls under CWE-434. If a PHP script or other executable file is uploaded, the attacker may obtain remote code execution on the victim’s web server.

Affected Systems

WordPress sites that have the BerqWP – Automated All-In-One Page Speed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript plugin installed in any version up to and including 2.2.42.

Risk and Exploitability

The CVSS score of 8.1 highlights high severity, but the EPSS score of less than 1% suggests a low probability of exploitation at present. The plugin’s endpoints are reachable without authentication, providing an unauthenticated attack vector that could allow an attacker to upload executable files and execute them on the server. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 21, 2026 at 03:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the BerqWP plugin to the latest version (2.2.43 or newer) to apply the vendor patch that validates file types.
  • If an upgrade is not possible, immediately remove or disable the store_javascript_cache.php file to block the vulnerable upload endpoint.
  • Configure the server so that any uploaded files are stored outside the web‑accessible directory and ensure that file permissions on those directories do not allow execution of uploaded content.

Generated by OpenCVE AI on April 21, 2026 at 03:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-23334 The BerqWP – Automated All-In-One Page Speed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the store_javascript_cache.php file in all versions up to, and including, 2.2.42. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
History

Mon, 04 Aug 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Berqier
Berqier berqwp
Wordpress
Wordpress wordpress
Vendors & Products Berqier
Berqier berqwp
Wordpress
Wordpress wordpress

Fri, 01 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 01 Aug 2025 04:45:00 +0000

Type Values Removed Values Added
Description The BerqWP – Automated All-In-One Page Speed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the store_javascript_cache.php file in all versions up to, and including, 2.2.42. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title BerqWP <= 2.2.42 - Unauthenticated Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Berqier Berqwp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:55:53.549Z

Reserved: 2025-07-10T19:41:10.890Z

Link: CVE-2025-7443

cve-icon Vulnrichment

Updated: 2025-08-01T13:29:32.784Z

cve-icon NVD

Status : Deferred

Published: 2025-08-01T05:15:36.743

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7443

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T04:00:10Z

Weaknesses