CVE-2025-28915
Published: 11 March 2025
Summary
CVE-2025-28915 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-28915 is an unrestricted file upload vulnerability, tracked under CWE-434, that affects the ThemeEgg ToolKit WordPress plugin up to version 1.2.9. The flaw permits an attacker to upload files of dangerous types, including web shells, directly to the server. It carries a CVSS 3.1 score of 9.1, reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability with scope change.
An authenticated user holding high privileges, such as an administrator, can exploit the issue to place a web shell on the target server. Successful exploitation grants the attacker the ability to execute arbitrary code, potentially leading to full site takeover and further lateral movement within the hosting environment.
The single reference advisory from Patchstack identifies the issue as an arbitrary file upload vulnerability in ThemeEgg ToolKit 1.2.9 and below. It directs administrators to apply the vendor-supplied update that removes the unrestricted upload path.
EPSS remains flat at 0.2485 with no upward trajectory after disclosure, indicating steady but not accelerating public interest in exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7869
Vulnerability details
Unrestricted Upload of File with Dangerous Type vulnerability in Theme Egg ThemeEgg ToolKit themeegg-toolkit allows Upload a Web Shell to a Web Server.This issue affects ThemeEgg ToolKit: from n/a through <= 1.2.9.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload vulnerability in public-facing WordPress plugin directly enables web shell deployment (T1100) and is exploited as a public-facing application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely remediation of the specific flaw in ThemeEgg ToolKit versions through 1.2.9 by applying available updates directly prevents exploitation of this unrestricted file upload vulnerability.
Validating all information inputs, including uploaded files for dangerous types like web shells, directly blocks unrestricted uploads in the vulnerable plugin.
Malicious code protection mechanisms at web server entry points scan and block web shell uploads or detect them post-upload in the exploited plugin.