CVE-2025-10041

CRITICAL

Flex QR Code Generator <1.2.5 - File Upload

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-10041. PoCs published by Nxploited, Boshe99.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-10041, an unauthenticated arbitrary file upload vulnerability in the Flex QR Code Generator WordPress plugin (≤ 1.2.5). The exploit automates the upload of a PHP webshell by leveraging missing file type validation in the `save_qr_code_to_db()` function.

Description

The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in thesave_qr_code_to_db() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Exploits (2)

github WORKING POC 3 stars

by Nxploited · pythonpoc

https://github.com/Nxploited/CVE-2025-10041

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-10041, an unauthenticated arbitrary file upload vulnerability in the Flex QR Code Generator WordPress plugin (≤ 1.2.5). The exploit automates the upload of a PHP webshell by leveraging missing file type validation in the `save_qr_code_to_db()` function.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Flex QR Code Generator WordPress plugin ≤ 1.2.5

No auth needed

Prerequisites: Target must have the vulnerable plugin installed and accessible · Network access to the target WordPress site

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 19, 2026 Full analysis →

github WORKING POC

by Boshe99 · pythonpoc

https://github.com/Boshe99/CVE-Exploits/tree/main/CVE-2025-10041

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-10041, targeting an unauthenticated arbitrary file upload vulnerability in the Flex QR Code Generator WordPress plugin (≤ 1.2.5). The exploit automates version detection, payload generation, and file upload to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Flex QR Code Generator WordPress plugin ≤ 1.2.5

No auth needed

Prerequisites: WordPress site with vulnerable plugin installed · Network access to target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (4)

Core 4

Core References

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3379026%40flex-qr-code-generator&new=3379026%40flex-qr-code-generator&sfp_email=&sfph_mail=

Product

https://plugins.trac.wordpress.org/browser/flex-qr-code-generator/tags/1.2.5/qr-code-generator.php#L208

Product

https://wordpress.org/plugins/flex-qr-code-generator/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/40000879-a5ef-48f2-97e4-77d527259af0?source=cve

Scores

CVSS v3 9.8

EPSS 0.0088

EPSS Percentile 54.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-434

Status published

Products (1)

ajitdas/Flex QR Code Generator < 1.2.5

Published Oct 15, 2025

Tracked Since Feb 18, 2026