CVE-2025-4954 PUBLISHED

Axle Demo Importer <= 1.0.3 - Author+ Arbitrary File Upload

Assigner: WPScan
Reserved: 19.05.2025 Published: 10.06.2025 Updated: 11.06.2025

The Axle Demo Importer WordPress plugin through 1.0.3 does not validate files to be uploaded, which could allow authenticated users (author and above) to upload arbitrary files such as PHP on the server

Product Status

Vendor	Unknown
Product	Axle Demo Importer
Versions	Default: affected affected from 0 to 1.0.3 (incl.)

Credits

Khaled Alenazi (Nxploited) finder
WPScan coordinator

References

https://wpscan.com/vulnerability/673f35ff-e1d5-4099-86e7-8b6e3e410ef8/

Problem Types

CWE-434 Unrestricted Upload of File with Dangerous Type CWE