CVE Alert: CVE-2025-10049 – nik00726 – Responsive Filterable Portfolio
CVE-2025-10049
The Responsive Filterable Portfolio plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the HdnMediaSelection_image field in all versions up to, and including, 1.0.24. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible.
AI Summary Analysis
Risk verdict
High risk potential exists if an authenticated administrator uploads malicious files; current SSVC data show exploitation is not active.
Why this matters
Unrestricted uploads allow remote code execution on the host, elevating attacker capability to take control of the site, exfiltrate data, or pivot to connected services. Since the flaw requires admin-level access, the attacker objective is typically credential theft or internal compromise to gain that level of access, with broad impact on reputation and uptime.
Most likely attack path
Attack requires an administrator to be compromised or otherwise authenticated. Once in, the attacker can upload arbitrary payloads via the HdnMediaSelection_image field due to missing file-type validation, potentially achieving total system compromise. The CVSS signals a network-available vector with high impact once preconditions are met, but the high privilege requirement reduces opportunistic exploitation to targets with valid admin credentials.
Who is most exposed
WordPress sites using this plugin, especially self-hosted or managed hosting environments with valuable admin accounts and verbose file upload capabilities. Organisations with shared hosting or weak admin credential hygiene are particularly at risk.
Detection ideas
- Monitor for uploads of unusual file types through the media uploader, especially executable/script files.
- Look for new PHP or shell-like files in plugin or uploads directories.
- Alert on spikes in admin activity around media fields or plugin settings.
- Track changes to plugin code or related configuration files.
- Inspect web server logs for anomalous file-creation events tied to admin sessions.
Mitigation and prioritisation
- Patch to the latest release (≥1.0.25) or deactivate the plugin until updated.
- Enforce strict file-type validation and content-type checks server-side.
- Implement least-privilege admin access; enforce MFA and rotate credentials.
- Deploy WAF rules to block dangerous upload types and known payload patterns.
- Include this in the next change window; treat as priority 2 unless EPSS/KEV indicates heightened urgency.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
