CVE-2025-47550

MEDIUM

Themefic Instantio <= 3.3.16 - Unauthenticated Arbitrary File Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-47550. PoCs published by d0n601.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-47550, an authenticated arbitrary file upload vulnerability in the Instantio WordPress plugin (versions <= 3.3.16). The exploit leverages the `ins_options_save` functionality to upload a malicious PHP shell, enabling remote code execution (RCE) on the target system.

Description

Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Instantio instantio allows Upload a Web Shell to a Web Server.This issue affects Instantio: from n/a through <= 3.3.16.

Exploits (1)

nomisec WORKING POC
by d0n601 · poc
https://github.com/d0n601/CVE-2025-47550

This repository contains a functional exploit for CVE-2025-47550, an authenticated arbitrary file upload vulnerability in the Instantio WordPress plugin (versions <= 3.3.16). The exploit leverages the `ins_options_save` functionality to upload a malicious PHP shell, enabling remote code execution (RCE) on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Instantio WordPress Plugin <= 3.3.16
Auth required
Prerequisites: WordPress admin credentials · Instantio plugin version <= 3.3.16 installed
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 6.6
EPSS 0.0038
EPSS Percentile 29.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-434
Status published
Products (2)
themefic/instantio < 3.3.16
Themefic/Instantio < 3.3.16
Published May 07, 2025
Tracked Since Feb 18, 2026