Platform
wordpress
Component
digiwidgets-image-editor
Fixed in
1.10.1
CVE-2025-30580 describes a Remote Code Execution (RCE) vulnerability within the DigiWidgets Image Editor, allowing for Remote Code Inclusion. This flaw permits attackers to execute arbitrary code on affected systems, potentially leading to complete system takeover. The vulnerability impacts versions from 0.0.0 up to and including 1.10. A patch is available in version 1.10.1.
The impact of this RCE vulnerability is severe. An attacker can leverage Remote Code Inclusion to execute malicious code directly on the server hosting the DigiWidgets Image Editor. This could involve deploying malware, stealing sensitive data, modifying website content, or establishing a persistent backdoor for future access. The blast radius extends to the entire server and potentially any connected systems if the attacker gains further access. Successful exploitation could be akin to a complete system compromise, allowing for data exfiltration and further malicious activities.
CVE-2025-30580 was publicly disclosed on 2025-04-01. Currently, there is no indication of active exploitation campaigns. The vulnerability is not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code may emerge, increasing the risk of exploitation.
Exploit Status
EPSS
0.38% (59% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-30580 is to immediately upgrade DigiWidgets Image Editor to version 1.10.1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting file upload permissions within the WordPress environment to prevent the upload of malicious code. Review and harden WordPress security configurations, including disabling unnecessary plugins and themes. Monitor server logs for suspicious activity related to file uploads or code execution.
Update the DigiWidgets Image Editor plugin to the latest available version to mitigate the remote code execution vulnerability. Check the plugin page on WordPress.org for the latest version and update instructions. Consider disabling or removing the plugin if it is not essential.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-30580 is a critical Remote Code Execution vulnerability in DigiWidgets Image Editor, allowing attackers to execute arbitrary code via Remote Code Inclusion. It affects versions 0.0.0 through 1.10.
Yes, if your WordPress site uses DigiWidgets Image Editor version 0.0.0 to 1.10, you are affected by this vulnerability. Check your plugin versions immediately.
Upgrade DigiWidgets Image Editor to version 1.10.1 or later to resolve this vulnerability. If immediate upgrade is not possible, implement temporary workarounds like restricting file uploads.
Currently, there is no confirmed evidence of active exploitation, but the vulnerability's severity warrants immediate attention and remediation.
Refer to the DigiWidgets Image Editor website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.