CVE-2025-13094
📋 TL;DR
The WP3D Model Import Viewer plugin for WordPress has a vulnerability that allows authenticated attackers with Author-level access or higher to upload arbitrary files due to missing file type validation. This can lead to remote code execution on affected WordPress sites. All sites using this plugin up to version 1.0.7 are vulnerable.
💻 Affected Systems
- WP3D Model Import Viewer WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through remote code execution, allowing attackers to install malware, steal data, deface websites, or pivot to other systems.
Likely Case
Website defacement, data theft, or installation of backdoors for persistent access.
If Mitigated
Limited impact if proper file upload restrictions and web application firewalls are in place.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.8 or later
Vendor Advisory: https://wordpress.org/plugins/wp3d-model-import-block/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find WP3D Model Import Viewer. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 1.0.8+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate wp3d-model-import-block
Restrict file uploads via .htaccess
linuxBlock execution of uploaded files in the uploads directory
Add to .htaccess in wp-content/uploads: <FilesMatch "\.(php|php5|php7|phtml|phar)$">
Order Allow,Deny
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Remove Author-level access from untrusted users and implement least privilege principles
- Implement web application firewall rules to block suspicious file uploads
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → WP3D Model Import Viewer → Version. If version is 1.0.7 or lower, you are vulnerable.Check Version:
wp plugin get wp3d-model-import-block --field=versionVerify Fix Applied:
After updating, verify plugin version shows 1.0.8 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /wp-content/uploads/ via POST requests
- PHP file execution from uploads directory
- Multiple failed upload attempts from same user
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with file upload parameters
- Unusual outbound connections from web server after file upload
SIEM Query:
source="web_logs" AND (uri="/wp-admin/admin-ajax.php" AND method="POST" AND (form_data CONTAINS "action=handle_import_file" OR form_data CONTAINS "upload_file"))