CVE-2025-1028 – WordPress Contact Manager Plugin File Upload Vulnerability

The following table lists the changes that have been made to the CVE-2025-1028 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability’s severity, exploitability, or other characteristics.

  • New CVE Received by [email protected]

    Feb. 05, 2025

    Action Type Old Value New Value
    Added Description The Contact Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the contact form upload feature in all versions up to, and including, 8.6.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible in specific configurations where the first extension is processed over the final. This vulnerability also requires successfully exploiting a race condition in order to exploit.
    Added CVSS V3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-434
    Added Reference https://plugins.trac.wordpress.org/changeset?old_path=/contact-manager/tags/8.6.4&new_path=/contact-manager/tags/8.6.5&sfp_email=&sfph_mail=
    Added Reference https://www.wordfence.com/threat-intel/vulnerabilities/id/b6f51a8e-4a59-4b64-b0c6-2ce3933a1df5?source=cve

نوشته های مشابه

CVE-2025-1022 – Spatie Browsershot Improper Input Validation

CVE-2025-1026 – Spatie Browsershot URL Validation Bypass Vulnerability

CVE-2025-25246 – NETGEAR XR RCE

CVE-2025-23114 – Veeam Man-in-the-Middle TLS Certificate Validation Bypass