CVE-2023-6925 in Unlimited Addons for WPBakery Page Builder Plugin
Summary
by MITRE • 02/06/2024
The Unlimited Addons for WPBakery Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'importZipFile' function in versions up to, and including, 1.0.42. This makes it possible for authenticated attackers with a role that the administrator previously granted access to the plugin (the default is editor role, but access can also be granted to contributor role), to upload arbitrary files on the affected site's server which may make remote code execution possible.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/11/2026
The vulnerability identified as CVE-2023-6925 affects the Unlimited Addons for WPBakery Page Builder plugin, a popular WordPress extension that enhances page building capabilities. This security flaw exists within the plugin's 'importZipFile' function and impacts all versions up to and including 1.0.42, representing a critical security risk for WordPress installations that utilize this plugin. The vulnerability stems from inadequate validation of file types during the import process, creating a pathway for malicious actors to exploit the system.
The technical implementation of this vulnerability allows authenticated attackers to leverage existing user privileges within the WordPress environment to execute arbitrary file uploads. Specifically, users with roles such as editor or contributor can exploit this weakness to upload malicious files to the server. The default WordPress role assignment grants editor-level permissions to the plugin's import functionality, making this attack vector particularly dangerous as it requires minimal privilege escalation. This flaw aligns with CWE-434, which describes the improper restriction of uploads to a restricted directory, and represents a classic example of insecure file upload vulnerabilities.
The operational impact of this vulnerability extends beyond simple unauthorized file uploads, as the ability to upload arbitrary files creates potential for remote code execution on the affected server. Attackers can leverage this capability to deploy web shells, malicious scripts, or other payloads that can compromise the entire WordPress installation. This vulnerability enables attackers to gain persistent access to the server, potentially leading to data breaches, defacement, or further exploitation of the network infrastructure. The risk is compounded by the fact that the default WordPress roles provide sufficient privileges to exploit this vulnerability without requiring administrative access.
Security professionals should immediately implement mitigations including updating to the latest plugin version that addresses this vulnerability, implementing additional file validation measures, and restricting file upload capabilities where possible. The ATT&CK framework categorizes this vulnerability under T1505.003 for 'Web Shell' and T1078 for 'Valid Accounts' as it leverages existing user privileges to establish persistent access. Organizations should also consider implementing network-level restrictions and monitoring for unusual file upload activities. The vulnerability demonstrates the importance of proper input validation and the principle of least privilege in web application security, emphasizing that plugin developers must implement robust security controls to prevent unauthorized file operations.