Cyber Resilience

CVE-2025-22723

Critical

Published: 21 January 2025

Published
21 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0046 36.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-22723 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked at the 36.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-22723 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in the WordPress plugin Barcode Scanner with Inventory & Order Manager, developed by Dmitry V. (CEO of "UKR Solution") under the identifier barcode-scanner-lite-pos-to-manage-products-inventory-and-orders. Published on 2025-01-21, it affects all versions of the plugin up to and including 1.6.7, enabling attackers to upload a web shell directly to the web server.

The vulnerability carries a CVSS 3.1 score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating exploitation is possible over the network with low complexity and no user interaction, but requires high privileges (PR:H), such as administrative access. A privileged attacker can upload malicious files like web shells, resulting in a scope change that grants high-impact control over confidentiality, integrity, and availability, potentially leading to full server compromise and remote code execution.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/barcode-scanner-lite-pos-to-manage-products-inventory-and-orders/vulnerability/wordpress-barcode-scanner-and-inventory-manager-plugin-1-6-7-arbitrary-file-upload-vulnerability?_s_id=cve) documents this arbitrary file upload issue in the plugin's version 1.6.7, providing details for WordPress site operators to assess and address exposure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Unrestricted Upload of File with Dangerous Type vulnerability in Dmitry V. (CEO of "UKR Solution") Barcode Scanner with Inventory & Order Manager barcode-scanner-lite-pos-to-manage-products-inventory-and-orders allows Upload a Web Shell to a Web Server.This issue affects Barcode Scanner with Inventory & Order…

more

Manager: from n/a through <= 1.6.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload vulnerability directly enables deployment of web shells on the web server for RCE and persistence.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-33015Shared CWE-434
CVE-2025-6057Shared CWE-434
CVE-2026-27067Shared CWE-434
CVE-2025-62056Shared CWE-434
CVE-2026-38526Shared CWE-434
CVE-2025-67924Shared CWE-434
CVE-2026-22241Shared CWE-434
CVE-2021-35485Shared CWE-434
CVE-2024-55417Shared CWE-434
CVE-2026-2146Shared CWE-434

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely identification, reporting, and remediation of software flaws, such as patching the vulnerable Barcode Scanner plugin up to version 1.6.7, directly eliminates the unrestricted file upload vulnerability.

prevent

Systematic validation of file upload inputs for type, content, and other attributes prevents the acceptance of dangerous files like web shells.

prevent

Enforcing restrictions on file types, extensions, sizes, and upload parameters blocks the introduction of malicious web shells via unrestricted uploads.

References