Cyber Resilience

CVE-2025-28915

Critical

Published: 11 March 2025

Published
11 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.2485 96.3th percentile
Risk Priority 33 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-28915 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-28915 is an unrestricted file upload vulnerability, tracked under CWE-434, that affects the ThemeEgg ToolKit WordPress plugin up to version 1.2.9. The flaw permits an attacker to upload files of dangerous types, including web shells, directly to the server. It carries a CVSS 3.1 score of 9.1, reflecting network attack vector, low complexity, and high impact on confidentiality, integrity, and availability with scope change.

An authenticated user holding high privileges, such as an administrator, can exploit the issue to place a web shell on the target server. Successful exploitation grants the attacker the ability to execute arbitrary code, potentially leading to full site takeover and further lateral movement within the hosting environment.

The single reference advisory from Patchstack identifies the issue as an arbitrary file upload vulnerability in ThemeEgg ToolKit 1.2.9 and below. It directs administrators to apply the vendor-supplied update that removes the unrestricted upload path.

EPSS remains flat at 0.2485 with no upward trajectory after disclosure, indicating steady but not accelerating public interest in exploitation.

EU & UK References

Vulnerability details

Unrestricted Upload of File with Dangerous Type vulnerability in Theme Egg ThemeEgg ToolKit themeegg-toolkit allows Upload a Web Shell to a Web Server.This issue affects ThemeEgg ToolKit: from n/a through <= 1.2.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary file upload vulnerability in public-facing WordPress plugin directly enables web shell deployment (T1100) and is exploited as a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434
CVE-2025-21624Shared CWE-434
CVE-2026-35164Shared CWE-434
CVE-2026-2097Shared CWE-434
CVE-2025-12154Shared CWE-434
CVE-2026-42748Shared CWE-434
CVE-2025-32957Shared CWE-434

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely remediation of the specific flaw in ThemeEgg ToolKit versions through 1.2.9 by applying available updates directly prevents exploitation of this unrestricted file upload vulnerability.

prevent

Validating all information inputs, including uploaded files for dangerous types like web shells, directly blocks unrestricted uploads in the vulnerable plugin.

preventdetect

Malicious code protection mechanisms at web server entry points scan and block web shell uploads or detect them post-upload in the exploited plugin.

References