Arbitrary File Upload Vulnerability in Echo RSS Feed Post Generator Plugin for WordPress
CVE-2025-4391
9.8CRITICAL
What is CVE-2025-4391?
The Echo RSS Feed Post Generator plugin for WordPress contains a critical vulnerability allowing unauthenticated attackers to upload arbitrary files to the server. This issue arises from inadequate file type validation within the echo_generate_featured_image() function. As a result, attackers can exploit this flaw to potentially execute remote code on affected websites. Deploying this plugin without adequate security measures exposes WordPress users to significant risks.
Affected Version(s)
Echo RSS Feed Post Generator * <= 5.4.8.1