The Blubrry PowerPress plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, an...
Description
The Blubrry PowerPress plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 11
AI Analyst Comment
Remediation
Update WordPress plugin/theme to the latest version. Review WordPress security settings and remove if no longer needed.
Executive Summary:
A high-severity vulnerability has been identified in the Blubrry PowerPress plugin for WordPress, which could allow an unauthenticated attacker to take complete control of an affected website. This flaw enables the upload of malicious files to the server, potentially leading to data theft, website defacement, or the use of the server to launch further attacks. Immediate patching is required to mitigate this critical risk.
Vulnerability Details
CVE-ID: CVE-2025-13536
Affected Software: Blubrry PowerPress plugin for WordPress
Affected Versions: All versions up to and including 11
Vulnerability:
This vulnerability is an arbitrary file upload due to insufficient file type validation. An attacker can exploit this by sending a specially crafted request to the plugin's file upload functionality. By bypassing the weak validation checks, the attacker can upload a malicious script (e.g., a PHP web shell) disguised as a legitimate file. Once the malicious file is on the server, the attacker can access it via a direct URL to execute arbitrary code with the permissions of the web server process, leading to a full compromise of the website and underlying server.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 8.8. Successful exploitation could have severe consequences for the business, including:
Remediation Plan
Immediate Action:
Proactive Monitoring:
wp-content/uploads.Compensating Controls:
Exploitation Status
Public Exploit Available: false
Analyst Notes:
As of November 27, 2025, there are no known public exploits or active attacks targeting this vulnerability. However, arbitrary file upload vulnerabilities are trivial to exploit and are a common target for threat actors. Due to the high severity and the widespread use of WordPress, it is highly probable that proof-of-concept exploits will be developed and released publicly in the near future.
Analyst Recommendation
Given the high CVSS score of 8.8 and the critical impact of remote code execution, this vulnerability poses a significant and immediate threat to the organization. We strongly recommend that all teams responsible for WordPress instances identify systems running the vulnerable Blubrry PowerPress plugin and apply the vendor-supplied patch without delay. Although this vulnerability is not currently on the CISA KEV list, its severity warrants treating it as a critical priority to prevent potential compromise.