| CVE-2025-7441
An unauthenticated attacker can cause the server to fetch and persist attacker-controlled content into the WordPress uploads directory (e.g. wp-content/uploads/YYYY/MM/). If the uploaded file can be interpreted/executed by the server (for example, a PHP file and the server allows PHP execution there), this leads to remote code execution (RCE) and full site compromise. |
