CVE-2025-8889

LOW

Compress & Upload WordPress Plugin < 1.0.5 - Authenticated Arbitrary File Upload

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-8889. PoCs published by siberkampus.

AI-analyzed exploit summary This repository provides a functional proof-of-concept for CVE-2025-8889, demonstrating an arbitrary file upload vulnerability in the WordPress 'Compress Then Upload' plugin (v1.0.3) that leads to remote code execution (RCE). The exploit involves bypassing weak server-side validation by intercepting and modifying an upload request to replace a benign image with malicious PHP code while retaining the original MIME type.

Description

The Compress & Upload WordPress plugin before 1.0.5 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)

Exploits (1)

nomisec WORKING POC

by siberkampus · poc

https://github.com/siberkampus/CVE-2025-8889

View Code ZIP pw:eip

This repository provides a functional proof-of-concept for CVE-2025-8889, demonstrating an arbitrary file upload vulnerability in the WordPress 'Compress Then Upload' plugin (v1.0.3) that leads to remote code execution (RCE). The exploit involves bypassing weak server-side validation by intercepting and modifying an upload request to replace a benign image with malicious PHP code while retaining the original MIME type.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WordPress Compress Then Upload Plugin v1.0.3

Auth required

Prerequisites: Authenticated WordPress user with Author role or higher · Burp Suite or similar intercepting proxy · Access to WordPress admin panel

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1204 - User Execution T1505 - Server Software Component

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory exploit vdb-entry technical-description

https://wpscan.com/vulnerability/5d84a577-62aa-4aa2-ac39-b146eae65243/

Scores

CVSS v3 3.8

EPSS 0.0027

EPSS Percentile 17.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-434

Status published

Products (1)

eliehanna/compress_and_upload_plugin < 1.0.5

Published Sep 09, 2025

Tracked Since Feb 18, 2026