CVE-2025-1028

CVSS 3.1 Score 8.1 of 10 (high)

Details

Published Feb 5, 2025

CWE ID 434

Summary

CVE-2025-1028 is a vulnerability in the Contact Manager plugin for WordPress, affecting versions up to 8.6.4. The issue stems from missing file type validation in the contact form upload feature, enabling unauthenticated attackers to upload arbitrary files to the server. There's a potential for remote code execution in certain configurations, where the first extension is processed instead of the final one. However, exploitation requires the successful manipulation of a race condition.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

https://app.recordedfuture.com/live/sc/entity/2dwBV8
https://www.cve.org/CVERecord?id=CVE-2025-1028
https://nvd.nist.gov/vuln/detail/CVE-2025-1028

Back to Vulnerability Database

CVE-2025-1028

CVSS 3.1 Score 8.1 of 10 (high)

Details

Summary

Advisories, Assessments, and Mitigations