Arbitrary File Upload Vulnerability in Qyrr QR-Code Plugin for WordPress
CVE-2025-10000

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Qyrr – Simply And Modern Qr-code Creation
Vendor: CVE Published:; 30 September 2025

What is CVE-2025-10000?

The Qyrr QR-Code creation plugin for WordPress is susceptible to an arbitrary file upload vulnerability caused by inadequate file type validation in its blob_to_file() function. This weakness affects all versions up to and including 2.0.7. Authenticated users with Contributor-level access or higher are able to exploit this vulnerability to upload any type of file, potentially leading to remote code execution on the server hosting the affected WordPress site.

Affected Version(s)

Qyrr – simply and modern QR-Code creation * <= 2.0.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/qyrr-code/trun...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 30, 2025
Vulnerability Reserved
Sep 4, 2025

Credit

Alexander Chikaylo

JSON