Arbitrary File Upload Vulnerability in Aeropage Sync for Airtable Plugin by WordPress
CVE-2025-3914

8.8HIGH

Key Information:

Vendor: WordPress
Status: Aeropage Sync For Airtable
Vendor: CVE Published:; 26 April 2025

What is CVE-2025-3914?

CVE-2025-3914 refers to a vulnerability in the Aeropage Sync for Airtable plugin designed for WordPress, which is a tool that facilitates the synchronization of Airtable data with WordPress installations. This specific vulnerability arises from inadequate file type validation, allowing authenticated users with Subscriber-level access or higher to upload arbitrary files to the server. This flaw could give malicious actors the potential to execute unauthorized code, undermining the security of the affected WordPress sites and putting sensitive data and operations at risk.

Technical Details

The vulnerability resides in the 'aeropage_media_downloader' function of the Aeropage Sync for Airtable plugin, existing in all versions up to and including 3.2.0. The absence of robust validation checks for uploaded file types means that an attacker can exploit this flaw by uploading malicious files that may result in the execution of arbitrary code on the server. This risk is exacerbated by the fact that even users with limited access can exploit it, raising concerns about the security of server environments running this widely-used plugin.

Potential impact of CVE-2025-3914

Remote Code Execution (RCE): The primary concern with this vulnerability is the potential for remote code execution, allowing attackers to run arbitrary commands on the server, which could lead to a complete takeover of the affected environment.
Data Compromise: With the ability to execute unauthorized code, attackers could gain access to sensitive data stored on the server, leading to data breaches that may expose personal information of users or proprietary business information.
Service Disruption: The exploitation of this vulnerability could allow attackers to disrupt services by deploying malware, such as ransomware, or by altering server operations, which could result in downtime and loss of service availability for legitimate users.

Affected Version(s)

Aeropage Sync for Airtable * <= 3.2.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/aeropage-sync-...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 26, 2025
Vulnerability Reserved
Apr 23, 2025

Credit

Cheng Liu