Cyber Resilience

CVE-2025-49387

CriticalUpdated

Published: 28 August 2025

Published
28 August 2025
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0035 27.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-49387 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Deeper analysis

CVE-2025-49387 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in the WordPress plugin Drag and Drop File Upload for Elementor Forms (drag-and-drop-file-upload-for-elementor-forms). This issue affects all versions from n/a through 1.5.3 and allows attackers to upload a web shell to the web server. The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, lack of privileges or user interaction requirements, and scoped impact with high confidentiality, integrity, and availability consequences.

An unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction. Exploitation enables the upload of dangerous files, such as web shells, directly to the web server, potentially granting remote code execution and full server compromise.

Advisories, including the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/drag-and-drop-file-upload-for-elementor-forms/vulnerability/wordpress-drag-and-drop-file-upload-for-elementor-forms-plugin-1-5-3-arbitrary-file-upload-vulnerability?_s_id=cve, detail the arbitrary file upload vulnerability in plugin version 1.5.3.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Unrestricted Upload of File with Dangerous Type vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms drag-and-drop-file-upload-for-elementor-forms allows Upload a Web Shell to a Web Server.This issue affects Drag and Drop File Upload for Elementor Forms: from n/a…

more

through <= 1.5.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload vulnerability in public-facing WordPress plugin directly enables web shell deployment (T1100) via exploitation of exposed application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-50002Shared CWE-434
CVE-2015-10135Shared CWE-434
CVE-2025-69312Shared CWE-434
CVE-2015-10144Shared CWE-434
CVE-2025-7852Shared CWE-434
CVE-2025-44658Shared CWE-434
CVE-2026-37748Shared CWE-434
CVE-2025-6058Shared CWE-434
CVE-2026-6518Shared CWE-434
CVE-2025-67968Shared CWE-434

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents unrestricted uploads of dangerous files like web shells by validating all inputs for consistency and malicious content in the WordPress plugin's upload functionality.

prevent

SI-9 mitigates the vulnerability by restricting dangerous file types from being uploaded through the unauthenticated Elementor Forms plugin endpoint.

preventdetect

SI-3 protects against web shell uploads by deploying malicious code scanning at system entry points such as the plugin's file upload interface.

References