CVE-2018-25335 | THREATINT

Description

WordPress Plugin Peugeot Music 1.0 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the upload.php endpoint. Attackers can upload files with arbitrary extensions by manipulating the 'name' parameter to execute code from the uploads directory.

PUBLISHED Reserved 2026-05-17 | Published 2026-05-17 | Updated 2026-05-18 | Assigner VulnCheck

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Missing Authentication for Critical Function

Product status

1.0

affected

Credits

Mr.7z finder

References

www.exploit-db.com/exploits/44737 (ExploitDB-44737) exploit

www.vulncheck.com/...gin-peugeot-music-arbitrary-file-upload (VulnCheck Advisory: WordPress Plugin Peugeot Music 1.0 Arbitrary File Upload) third-party-advisory

cve.org (CVE-2018-25335)

nvd.nist.gov (CVE-2018-25335)

Download JSON