CVE-2025-52758
Gesundheit Bewegt GmbH · Zippy
An unrestricted file upload vulnerability in the Zippy plugin allows attackers to upload malicious files, potentially leading to remote code execution.
Executive summary
The Zippy plugin for WordPress contains a critical unrestricted file upload vulnerability that permits the execution of malicious files on the server.
Vulnerability
This vulnerability involves the unrestricted upload of files with dangerous types, allowing an attacker to bypass file validation mechanisms. By uploading malicious scripts, an attacker can achieve remote code execution within the context of the web server.
Business impact
This vulnerability is rated at 9.1 (Critical), reflecting the high potential for full system compromise. An attacker who successfully uploads a malicious file can gain complete control over the affected server, leading to total data loss, unauthorized access, or the use of the server for further malicious activities.
Remediation
Immediate Action: Update the Zippy plugin to a version beyond 1.7.0 immediately. If an update is unavailable, disable or remove the plugin from the production environment.
Proactive Monitoring: Monitor the web server’s upload directories for unexpected file extensions or executable files created by untrusted users.
Compensating Controls: Configure the web server to disable script execution in upload directories and ensure the WAF is configured to inspect and block unauthorized file types.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
This vulnerability represents a significant security risk due to the potential for remote code execution. It is imperative that users of the Zippy plugin update to a patched version immediately to prevent unauthorized access and potential server takeover.