Arbitrary File Upload Vulnerability in Echo RSS Feed Post Generator Plugin for WordPress
CVE-2025-4391

9.8CRITICAL

Key Information:

Vendor

WordPress

Vendor
CVE Published:
17 May 2025

What is CVE-2025-4391?

The Echo RSS Feed Post Generator plugin for WordPress contains a critical vulnerability allowing unauthenticated attackers to upload arbitrary files to the server. This issue arises from inadequate file type validation within the echo_generate_featured_image() function. As a result, attackers can exploit this flaw to potentially execute remote code on affected websites. Deploying this plugin without adequate security measures exposes WordPress users to significant risks.

Affected Version(s)

Echo RSS Feed Post Generator * <= 5.4.8.1

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Friderika Baranyai
.
CVE-2025-4391 : Arbitrary File Upload Vulnerability in Echo RSS Feed Post Generator Plugin for WordPress