CVE-2025-47549 – This vulnerability allows attackers to upload a... (How to Fix)

Q: What is the severity of CVE-2025-47549?

CVE-2025-47549 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows attackers to upload arbitrary files, including web shells, to WordPress sites using the BEAF plugin. Attackers can gain full control of affected websites. All WordPress installations with BEAF plugin versions up to 4.6.10 are vulnerable.

📋 TL;DR

This vulnerability allows attackers to upload arbitrary files, including web shells, to WordPress sites using the BEAF plugin. Attackers can gain full control of affected websites. All WordPress installations with BEAF plugin versions up to 4.6.10 are vulnerable.

💻 Affected Systems

Products:

Themefic BEAF (Before and After Gallery) WordPress Plugin

Versions: All versions up to and including 4.6.10

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with BEAF plugin enabled. No special configuration needed.

📦 What is this software?

Ultimate Before After Image Slider \& Gallery by Themefic

View all CVEs affecting Ultimate Before After Image Slider \& Gallery →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the WordPress site, data theft, defacement, and use as a pivot point for attacking other systems.

🟠

Likely Case

Attackers upload web shells to gain persistent access, install malware, steal data, or use the server for malicious activities.

🟢

If Mitigated

If file uploads are restricted via web application firewall or server configuration, impact is limited to denial of service or file storage exhaustion.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, making them directly accessible to attackers.

🏢 Internal Only: LOW - This is a WordPress plugin vulnerability, primarily affecting web servers accessible from the internet.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public proof-of-concept exploits exist. Attack requires no authentication and is trivial to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.6.11 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/beaf-before-and-after-gallery/vulnerability/wordpress-beaf-4-6-10-arbitrary-file-upload-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'BEAF - Before and After Gallery'. 4. Click 'Update Now' if update is available. 5. If no update appears, manually download version 4.6.11+ from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Disable BEAF Plugin

all

Temporarily disable the vulnerable plugin until patching is possible

wp plugin deactivate beaf-before-and-after-gallery

Restrict File Uploads via .htaccess

linux

Block PHP file uploads to the BEAF upload directory

Add to .htaccess in wp-content/uploads/beaf-uploads/: <Files *.php> deny from all </Files>

🧯 If You Can't Patch

Immediately disable the BEAF plugin via WordPress admin or command line
Implement web application firewall rules to block requests to BEAF upload endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → BEAF version. If version is 4.6.10 or lower, system is vulnerable.

Check Version:

wp plugin get beaf-before-and-after-gallery --field=version

Verify Fix Applied:

Confirm BEAF plugin version is 4.6.11 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /wp-content/plugins/beaf-before-and-after-gallery/upload.php with PHP file uploads
Unusual file creations in wp-content/uploads/beaf-uploads/ directory

Network Indicators:

POST requests to BEAF upload endpoints with file uploads
Subsequent requests to newly uploaded PHP files

SIEM Query:

source="web_logs" AND (uri_path="/wp-content/plugins/beaf-before-and-after-gallery/upload.php" OR uri_path CONTAINS "/wp-content/uploads/beaf-uploads/") AND http_method="POST"

📊 Metadata

CVE ID: CVE-2025-47549

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-434

EPSS Score: 0.16% exploit probability (36.5th percentile)

Published: May 7, 2025

Last Updated: May 12, 2025

🔗 References

https://github.com/d0n601/CVE-2025-47549 Exploit,Third Party Advisory
https://patchstack.com/database/wordpress/plugin/beaf-before-and-after-gallery/vulnerability/wordpress-beaf-4-6-10-arbitrary-file-upload-vulnerability?_s_id=cve Third Party Advisory
https://ryankozak.com/posts/cve-2025-47549/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-47549, you might also want to check these: