CVE-2025-49387
Published: 28 August 2025
Summary
CVE-2025-49387 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents unrestricted uploads of dangerous files like web shells by validating all inputs for consistency and malicious content in the WordPress plugin's upload functionality.
SI-9 mitigates the vulnerability by restricting dangerous file types from being uploaded through the unauthenticated Elementor Forms plugin endpoint.
SI-3 protects against web shell uploads by deploying malicious code scanning at system entry points such as the plugin's file upload interface.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload vulnerability in public-facing WordPress plugin directly enables web shell deployment (T1100) via exploitation of exposed application (T1190).
NVD Description
Unrestricted Upload of File with Dangerous Type vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms drag-and-drop-file-upload-for-elementor-forms allows Upload a Web Shell to a Web Server.This issue affects Drag and Drop File Upload for Elementor Forms: from n/a…
more
through <= 1.5.3.
Deeper analysisAI
CVE-2025-49387 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in the WordPress plugin Drag and Drop File Upload for Elementor Forms (drag-and-drop-file-upload-for-elementor-forms). This issue affects all versions from n/a through 1.5.3 and allows attackers to upload a web shell to the web server. The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, lack of privileges or user interaction requirements, and scoped impact with high confidentiality, integrity, and availability consequences.
An unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction. Exploitation enables the upload of dangerous files, such as web shells, directly to the web server, potentially granting remote code execution and full server compromise.
Advisories, including the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/drag-and-drop-file-upload-for-elementor-forms/vulnerability/wordpress-drag-and-drop-file-upload-for-elementor-forms-plugin-1-5-3-arbitrary-file-upload-vulnerability?_s_id=cve, detail the arbitrary file upload vulnerability in plugin version 1.5.3.
Details
- CWE(s)