Cyber Resilience

CVE-2025-13065

High

Published: 06 December 2025

Published
06 December 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0009 25.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13065 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-13065 is an arbitrary file upload vulnerability affecting the Starter Templates plugin for WordPress in all versions up to and including 4.4.41. The issue stems from insufficient file type validation when handling WXR files, which permits double extension files to bypass sanitization while still being accepted as valid WXR imports. This flaw, associated with CWE-434 (Unrestricted Upload of File with Dangerous Type), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-12-06.

Authenticated attackers with author-level access or higher can exploit this vulnerability remotely without user interaction. By uploading specially crafted files during the import process, they can place arbitrary files on the affected site's server, potentially enabling remote code execution depending on server permissions and configuration.

Mitigation involves updating the Starter Templates plugin to version 4.4.42 or later, as indicated by the patch in the WordPress plugin trac changeset at https://plugins.trac.wordpress.org/changeset/3395498/astra-sites/tags/4.4.42/inc/lib/starter-templates-importer/importer/wxr-importer/st-wxr-importer.php. Additional details are available in the Wordfence threat intelligence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/439e4c99-8f34-4e66-9d86-c0cbb8cf6da0?source=cve.

EU & UK References

Vulnerability details

The Starter Templates plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.4.41. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being…

more

accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary file upload in public-facing WordPress plugin enables exploitation of public-facing application (T1190) and facilitates uploading web shells for remote code execution (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434
CVE-2025-21624Shared CWE-434
CVE-2026-35164Shared CWE-434
CVE-2026-2097Shared CWE-434
CVE-2025-12154Shared CWE-434
CVE-2026-42748Shared CWE-434
CVE-2025-32957Shared CWE-434

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely patching of the vulnerable Starter Templates plugin to version 4.4.42 or later, addressing the core file validation flaw.

prevent

Requires robust information input validation at file upload points to block arbitrary files and double extension bypasses during WXR imports.

preventdetect

Deploys malicious code protection to scan and prevent execution of arbitrarily uploaded files that could enable remote code execution.

References