Platform
wordpress
Component
wastia
Fixed in
1.1.4
CVE-2025-49060 describes an Arbitrary File Access vulnerability within the Wastia component for WordPress. This flaw allows attackers to upload files of any type, including malicious web shells, directly to the web server. The vulnerability impacts Wastia versions ranging from 0.0.0 through 1.1.3. A fix is available in version 1.1.3.
The primary impact of CVE-2025-49060 is the ability for an attacker to upload arbitrary files to the web server. This includes the potential for uploading web shells, which grant the attacker remote code execution capabilities. Successful exploitation could lead to complete server compromise, data theft, modification, or deletion. The attacker could establish a persistent foothold on the system, potentially pivoting to other systems within the network. The ease of file upload, combined with the potential for web shell deployment, makes this a high-risk vulnerability.
CVE-2025-49060 was publicly disclosed on 2025-10-22. The vulnerability's simplicity and potential for severe impact suggest a high probability of exploitation. While no public proof-of-concept (PoC) code is currently available, the ease of exploitation makes it likely that PoCs will emerge. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-49060 is to immediately upgrade Wastia to version 1.1.3 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. These may include restricting file upload types to only explicitly allowed extensions via WordPress configuration or using a Web Application Firewall (WAF) to block suspicious file uploads. Carefully review existing Wastia installations for any unusual files or processes. After upgrading, confirm the fix by attempting to upload a non-allowed file type and verifying that the upload is rejected.
Update the Wastia theme to version 1.1.4 or higher to resolve the arbitrary file upload vulnerability. Check for theme updates through the WordPress admin panel or download the latest version from the official WordPress.org repository.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-49060 is a CRITICAL vulnerability in Wastia for WordPress allowing attackers to upload arbitrary files, potentially leading to server compromise. It affects versions 0.0.0–1.1.3.
You are affected if your WordPress site uses Wastia version 0.0.0 through 1.1.3. Check your plugin versions immediately.
Upgrade Wastia to version 1.1.3 or later. If immediate upgrade isn't possible, implement temporary workarounds like restricting file upload types or using a WAF.
While no active exploitation is confirmed, the vulnerability's ease of exploitation suggests a high likelihood of exploitation in the near future.
Refer to the official Wastia project website or WordPress plugin repository for the latest advisory and updates related to CVE-2025-49060.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.