CVE-2025-4391
published 2025-05-17CVE-2025-4391: The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.64%
46.0th percentile
The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the echo_generate_featured_image() function in all versions up to, and including, 5.4.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| coderevolution | echo_rss_feed_post_generator | <= 5.4.8.1 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat4.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8hqp-jvp3-493j: The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the echo_generate
ghsa_unreviewed·2025-05-17
CVE-2025-4391 [CRITICAL] CWE-434 GHSA-8hqp-jvp3-493j: The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the echo_generate
The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the echo_generate_featured_image() function in all versions up to, and including, 5.4.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Red Hat
augeas: Hercules Augeas fa.c re_case_expand null pointer dereference
vendor_redhat·2025-03-21·CVSS 4.8
CVE-2025-2588 [MEDIUM] CWE-404 augeas: Hercules Augeas fa.c re_case_expand null pointer dereference
augeas: Hercules Augeas fa.c re_case_expand null pointer dereference
A vulnerability has been found in Hercules Augeas 1.14.1 and classified as problematic. This vulnerability affects the function re_case_expand of the file src/fa.c. The manipulation of the argument re leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used.
A flaw was found in Hercules Augeas. This issue occurs in the re_case_expand function, defined in src/fa.c at line 4391. The fa_expand_nocase function fails to check whether the pointer is null when calling the re_case_expand function, resulting in null pointer dereference, causing the program to report segmentation fault.
Mitigation: Mitigation for this issue is either not available or the
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-05-17
Published