Plataforma
wordpress
Componente
digiwidgets-image-editor
Corrigido em
1.10.1
CVE-2025-30580 describes a Remote Code Execution (RCE) vulnerability within the DigiWidgets Image Editor, allowing for Remote Code Inclusion. This flaw permits attackers to execute arbitrary code on affected systems, potentially leading to complete system takeover. The vulnerability impacts versions from 0.0.0 up to and including 1.10. A patch is available in version 1.10.1.
The impact of this RCE vulnerability is severe. An attacker can leverage Remote Code Inclusion to execute malicious code directly on the server hosting the DigiWidgets Image Editor. This could involve deploying malware, stealing sensitive data, modifying website content, or establishing a persistent backdoor for future access. The blast radius extends to the entire server and potentially any connected systems if the attacker gains further access. Successful exploitation could be akin to a complete system compromise, allowing for data exfiltration and further malicious activities.
CVE-2025-30580 was publicly disclosed on 2025-04-01. Currently, there is no indication of active exploitation campaigns. The vulnerability is not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code may emerge, increasing the risk of exploitation.
WordPress websites utilizing the DigiWidgets Image Editor plugin are at risk. Specifically, sites running older versions (0.0.0 - 1.10) are vulnerable. Shared hosting environments where users have limited control over plugin installations are particularly susceptible.
• wordpress / composer / npm:
grep -r 'kellydiek DigiWidgets Image Editor' /var/www/html/
wp plugin list | grep digiwidgets-image-editor• generic web:
curl -I https://your-website.com/wp-content/plugins/digiwidgets-image-editor/ | grep -i 'digiwidgets-image-editor'disclosure
Status do Exploit
EPSS
0.38% (percentil 59%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-30580 is to immediately upgrade DigiWidgets Image Editor to version 1.10.1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting file upload permissions within the WordPress environment to prevent the upload of malicious code. Review and harden WordPress security configurations, including disabling unnecessary plugins and themes. Monitor server logs for suspicious activity related to file uploads or code execution.
Atualize o plugin DigiWidgets Image Editor para a versão mais recente disponível para mitigar a vulnerabilidade de execução remota de código. Verifique a página do plugin no WordPress.org para obter a versão mais recente e as instruções de atualização. Considere desabilitar ou remover o plugin se não for essencial.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-30580 is a critical Remote Code Execution vulnerability in DigiWidgets Image Editor, allowing attackers to execute arbitrary code via Remote Code Inclusion. It affects versions 0.0.0 through 1.10.
Yes, if your WordPress site uses DigiWidgets Image Editor version 0.0.0 to 1.10, you are affected by this vulnerability. Check your plugin versions immediately.
Upgrade DigiWidgets Image Editor to version 1.10.1 or later to resolve this vulnerability. If immediate upgrade is not possible, implement temporary workarounds like restricting file uploads.
Currently, there is no confirmed evidence of active exploitation, but the vulnerability's severity warrants immediate attention and remediation.
Refer to the DigiWidgets Image Editor website or WordPress plugin repository for the official advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.