Arbitrary File Upload Vulnerability in Echo RSS Feed Post Generator Plugin for WordPress
CVE-2025-4391

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Echo Rss Feed Post Generator
Vendor: CVE Published:; 17 May 2025

What is CVE-2025-4391?

The Echo RSS Feed Post Generator plugin for WordPress contains a critical vulnerability allowing unauthenticated attackers to upload arbitrary files to the server. This issue arises from inadequate file type validation within the echo_generate_featured_image() function. As a result, attackers can exploit this flaw to potentially execute remote code on affected websites. Deploying this plugin without adequate security measures exposes WordPress users to significant risks.

Affected Version(s)

Echo RSS Feed Post Generator * <= 5.4.8.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://codecanyon.net/item/echo-rss-feed-post-generator-...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 17, 2025
Vulnerability Reserved
May 6, 2025

Credit

Friderika Baranyai