exploitDog

CVE-2025-5831

Опубликовано: 25 июл. 2025

Источник: nvd

CVSS3: 8.8

EPSS Низкий

Описание

The Droip plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the make_google_font_offline() function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Ссылки

https://droip.com/
Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/dd129829-9682-4def-a07f-66f9178eeb77?source=cve
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:themeum:droip:*:*:*:*:*:wordpress:*:*

Версия до 2.2.0 (включая)

EPSS

Процентиль: 44%

0.00219

Низкий

8.8 High

CVSS3

Дефекты

CWE-434

Связанные уязвимости

GHSA-qcv8-39fr-gcc3

CVSS3: 8.8

github

7 месяцев назад

The Droip plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the make_google_font_offline() function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

EPSS

Процентиль: 44%

0.00219

Низкий

8.8 High

CVSS3

Дефекты

CWE-434