File Upload Vulnerability in Axle Demo Importer Plugin by WordPress
CVE-2025-4954

Currently unrated

Key Information:

Vendor: WordPress
Status: Axle Demo Importer
Vendor: CVE Published:; 10 June 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-4954?

The Axle Demo Importer plugin for WordPress, prior to version 1.0.3, contains a vulnerability that allows authenticated users, such as authors and above, to upload arbitrary files to the server. This occurs due to a lack of proper validation for uploaded files, which could lead to the execution of potentially malicious PHP scripts. Ensuring the latest version is implemented and reviewing user permissions is crucial for maintaining the security of the server.

Affected Version(s)

Axle Demo Importer 0 <= 1.0.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-4954 - Proof of Concept

References

https://wpscan.com/vulnerability/673f35ff-e1d5-4099-86e7-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 10, 2025
👾
Exploit known to exist
Jun 10, 2025
Vulnerability published
Jun 10, 2025
Vulnerability Reserved
May 19, 2025

Credit

Khaled Alenazi (Nxploited)

WPScan