Arbitrary File Upload Vulnerability in WordPress Automatic Plugin by WordPress
CVE-2025-5395

8.8HIGH

Key Information:

Vendor: WordPress
Status: WordPress Automatic Plugin
Vendor: CVE Published:; 11 June 2025

What is CVE-2025-5395?

The WordPress Automatic Plugin is susceptible to an arbitrary file upload vulnerability due to inadequate file type validation in the core.php file. This flaw affects all versions up to and including 3.115.0, allowing authenticated attackers with Author-level access or higher to upload problematic files on the server. Successfully exploiting this vulnerability could lead to remote code execution, posing significant risks to the integrity and security of affected WordPress sites.

Affected Version(s)

WordPress Automatic Plugin * <= 3.115.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://codecanyon.net/item/wordpress-automatic-plugin/19...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 11, 2025
Vulnerability Reserved
May 30, 2025

Credit

Trương Hữu Phúc (truonghuuphuc)