CVE-2025-13536
Published: 27 November 2025
Summary
CVE-2025-13536 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by remediating the flaw in the Blubrry PowerPress plugin through timely patching to versions beyond 11.15.2.
Requires comprehensive validation of file types and contents during uploads in functions like powerpress_edit_post, countering the plugin's insufficient validation that fails to halt execution.
Enforces restrictions on file types and inputs accepted by the WordPress system, preventing arbitrary dangerous files from being uploaded via the vulnerable plugin.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload in public-facing WordPress plugin enables exploitation of public-facing application (T1190), privilege escalation from low-priv Contributor to RCE (T1068), and deployment/execution of web shells (T1100).
NVD Description
The Blubrry PowerPress plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 11.15.2. This is due to the plugin validating file extensions but not halting execution when…
more
validation fails in the 'powerpress_edit_post' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Deeper analysisAI
CVE-2025-13536 affects the Blubrry PowerPress plugin for WordPress in all versions up to and including 11.15.2. The vulnerability enables arbitrary file uploads due to insufficient file type validation in the 'powerpress_edit_post' function. Specifically, the plugin checks file extensions but fails to halt execution upon validation failure, allowing unauthorized file types to be processed and stored on the server. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).
Authenticated attackers with Contributor-level access or higher can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By uploading arbitrary files, such as web shells, they can achieve potential remote code execution on the affected WordPress site, leading to high confidentiality, integrity, and availability impacts.
Advisories reference code locations in powerpressadmin.php at lines 2368, 3012, and 3068 in version 11.14.1, along with WordPress plugin changeset 3402635, which likely addresses the validation flaw. Security practitioners should update to a version beyond 11.15.2 and review the Wordfence threat intelligence page for additional details on detection and mitigation.
Details
- CWE(s)