Karl.Fail

Tag: cwe-434

  • CVE-2025-31324: Critical File Upload Vulnerability in SAP NetWeaver Visual Composer

    Overview

    CVE-2025-31324 exposes a critical vulnerability in SAP NetWeaver Visual Composer development server, specifically in the Metadata Uploader component. The flaw enables unauthenticated attackers to upload malicious binaries without proper authorization, resulting in potential full compromise of the host system.

    Technical Details

    This vulnerability arises due to a missing authorization check (CWE-434: Unrestricted Upload of File with Dangerous Type). The Metadata Uploader allows file submissions without verifying the origin or privileges of the request. Consequently, an attacker can send specially crafted executable files over HTTP, leading to remote code execution, data breaches, or system outages.

    CVSS Score and Vector

    • Base Score: 10.0 (Critical)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
    • Impact: High (Confidentiality, Integrity, Availability)

    Affected Product

    • SAP NetWeaver (Visual Composer development server), Version: VCFRAMEWORK 7.50

    Mitigation and Recommendations

    SAP has issued security patches addressing this vulnerability in its April 2025 Security Patch Day. Organizations using affected systems should:

    • Apply the latest SAP patches immediately.
    • Restrict network access to the Visual Composer development server.
    • Audit access logs for signs of unauthorized file uploads.
    • Review and enforce strict authorization policies on all upload mechanisms.

    Active Exploitation

    Reports confirm that this vulnerability is under active exploitation in the wild. Security teams should treat this as a high-priority incident and verify whether their environments show any indication of compromise.

    For further details, consult the following resources:

  • CVE-2025-2780: Critical File Upload Vulnerability in Woffice Core Plugin

    Overview

    A critical vulnerability has been identified in the Woffice Core plugin for WordPress, affecting all versions up to and including 5.4.21. Tracked as CVE-2025-2780, this flaw enables authenticated users with Subscriber-level access or higher to upload arbitrary files to the server due to missing file type validation in the saveFeaturedImage function.

    Technical Details

    The issue arises from the lack of proper file type validation, which permits users with minimal privileges to upload files of any type. Classified under CWE-434: Unrestricted Upload of File with Dangerous Type, this vulnerability can be exploited to upload executable scripts that may lead to remote code execution (RCE) on the hosting server.

    The vulnerable function, saveFeaturedImage, fails to restrict file MIME types or sanitize file content. This creates an opportunity for threat actors to upload malicious payloads disguised as images or documents.

    Severity and CVSS Score

    This vulnerability has received a CVSS v3.1 base score of 9.8 (Critical), with the vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This score reflects:

    • Network-based attack vector
    • Low complexity
    • No user interaction required
    • High impact on confidentiality, integrity, and availability

    Potential Impact

    Authenticated users, including Subscribers, could upload files that execute arbitrary code. This opens the door to complete server takeover, data theft, or lateral movement within the hosting environment. Since the attack can be automated, it represents a significant threat for any site using the vulnerable plugin version.

    Mitigation and Recommendations

    • Update Immediately: Upgrade to Woffice Core version 5.4.22 or later.
    • Restrict File Uploads: Use application-layer firewalls or additional plugins to limit file upload types.
    • Monitor Logs: Review recent uploads and access logs for suspicious activity.
    • Review User Roles: Ensure only necessary users have upload permissions.

    References

    Credits

    This vulnerability was responsibly disclosed by Friderika Baranyai.

  • CVE-2025-4389: Critical File Upload Vulnerability in Crawlomatic Plugin for WordPress

    Overview

    A critical vulnerability identified as CVE-2025-4389 affects the Crawlomatic Multipage Scraper Post Generator plugin for WordPress, up to and including version 2.6.8.1. Discovered by Friderika Baranyai and disclosed on May 16, 2025, this flaw enables unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution (RCE).

    Technical Details

    The vulnerability resides in the crawlomatic_generate_featured_image() function, which lacks proper file type validation. As a result, attackers can upload malicious files directly to the affected server without any authentication. This violates best practices in secure coding, particularly around file handling and input validation.

    This issue is categorized under CWE-434: Unrestricted Upload of File with Dangerous Type, which involves failure to restrict uploads to safe file types, opening the door for execution of hostile code on the server.

    CVSS Score and Impact

    The vulnerability has been rated CRITICAL with a CVSS v3.1 base score of 9.8. The vector string is:

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Key characteristics of this score include:

    • Exploitable remotely over a network (AV:N)
    • Low attack complexity (AC:L)
    • No privileges or user interaction required (PR:N, UI:N)
    • High impact on confidentiality, integrity, and availability (C:H, I:H, A:H)

    Impacted Versions

    All versions of the plugin up to and including 2.6.8.1 are affected. Users running these versions are highly encouraged to update or disable the plugin immediately.

    Mitigation and Recommendations

    Users should consult the plugin vendor for updates or security patches. In the absence of an immediate patch, disabling the plugin is advised. For reference and further reading, see:

    CISA’s SSVC analysis identifies the vulnerability as automatable with a total technical impact, further underlining the urgency of remediation efforts.

    Conclusion

    CVE-2025-4389 is a severe security risk for WordPress sites using the Crawlomatic plugin. The ability for unauthenticated users to upload files with no validation represents a significant attack vector. Site administrators must act swiftly to mitigate this threat.