Cyber Resilience

CVE-2025-2525

High

Published: 08 April 2025

Published
08 April 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0123 79.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2525 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Iqonic (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 20.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Streamit theme for WordPress is vulnerable to arbitrary file uploads because the st_Authentication_Controller::edit_profile function lacks file type validation in all versions through 4.0.1. The flaw is tracked as CVE-2025-2525 and carries a CVSS 3.1 score of 8.8 under CWE-434.

Authenticated users with subscriber-level access or higher can exploit the issue over the network to upload arbitrary files to the server, which may enable remote code execution and full site compromise.

Vendor change-log entries and the Wordfence advisory reference the affected versions and point to updated releases that restore file-type checks as the primary mitigation.

EPSS remains flat at a low 0.0123 with no observed rise after disclosure.

EU & UK References

Vulnerability details

The Streamit theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'st_Authentication_Controller::edit_profile' function in all versions up to, and including, 4.0.1. This makes it possible for authenticated attackers, with subscriber-level and above…

more

permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Iqonic
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References