CVE-2018-25335
published 2026-05-17CVE-2018-25335: WordPress Plugin Peugeot Music 1.0 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending…
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.52%
39.9th percentile
WordPress Plugin Peugeot Music 1.0 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the upload.php endpoint. Attackers can upload files with arbitrary extensions by manipulating the 'name' parameter to execute code from the uploads directory.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| peugeot-music-plugin | peugeot_music | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gvq2-4mf3-84fh: WordPress Plugin Peugeot Music 1
ghsa_unreviewed·2026-05-17
CVE-2018-25335 [CRITICAL] CWE-306 GHSA-gvq2-4mf3-84fh: WordPress Plugin Peugeot Music 1
WordPress Plugin Peugeot Music 1.0 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the upload.php endpoint. Attackers can upload files with arbitrary extensions by manipulating the 'name' parameter to execute code from the uploads directory.
VulDB
peugeot-music-plugin Peugeot Music Plugin 1.0 on WordPress upload.php Name missing authentication (Exploit 44737 / EUVD-2018-21856)
vuldb·2026-05-17·CVSS 9.3
CVE-2018-25335 [CRITICAL] peugeot-music-plugin Peugeot Music Plugin 1.0 on WordPress upload.php Name missing authentication (Exploit 44737 / EUVD-2018-21856)
A vulnerability was found in peugeot-music-plugin Peugeot Music Plugin 1.0 on WordPress. It has been rated as critical. Impacted is an unknown function of the file upload.php. Performing a manipulation of the argument Name results in missing authentication.
This vulnerability was named CVE-2018-25335. The attack may be initiated remotely. In addition, an exploit is available.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-17
Published