Critical vulnerability reported in Echo RSS Feed Post Generator WordPress Plugin
Take action: If you are running Echo RSS Feed Post Generator WordPress plugin, update it IMMEDIATELY. Any attacker can upload an arbitrary file, and your Wordpress is already exposed to the entire internet for attacks. Don't wait, the update is very simple.
Learn More
A critical security vulnerability has been identified in the Echo RSS Feed Post Generator WordPress plugin that allows unauthenticated attackers to upload arbitrary files to the affected website's server, potentially enabling remote code execution.
The vulnerability is tracked as CVE-2025-4391 (CVSS score of 9.8) - Unrestricted Upload of File with Dangerous Type. The vulnerability stems from inadequate file type validation in the plugin's featured image generation function. It allows unauthenticated attackers to bypass upload restrictions and place malicious files on the server.Any website running the affected plugin versions is potentially exposed to attacks that could compromise the entire server.
Affected versions are Echo RSS Feed Post Generator plugin 5.4.8.1 and earlier
Website administrators are strongly advised to update the Echo RSS Feed Post Generator plugin to version 5.4.8.2 or newer, scan web directories for suspicious files that may have been uploaded if the plugin has been running in a vulnerable state and review server logs for potential exploitation attempts.
