CVE-2025-2006

Name of the Vulnerable Software and Affected Versions Inline Image Upload for BBPress plugin for WordPress versions up to, and including, 1.1.19

Description The issue is related to missing file type validation in the file uploading functionality, allowing authenticated attackers with Subscriber-level access and above to upload arbitrary files on the affected site's server. This could potentially lead to remote code execution. In certain configurations, where the "Allow guest users without accounts to create topics and replies" setting is enabled, unauthenticated attackers may also exploit this issue.

Recommendations For versions up to, and including, 1.1.19, update to a version that includes the necessary file type validation to prevent arbitrary file uploads. As a temporary workaround, consider disabling the file uploading functionality until a patch is available. Restrict access to the file uploading feature to minimize the risk of exploitation, especially when the "Allow guest users without accounts to create topics and replies" setting is enabled.