CVE-2025-28951 — AI Deep Analysis Summary

🚨 **Essence**: Arbitrary File Upload vulnerability in 'Bulk Featured Image' plugin. <br>💥 **Consequences**: Attackers can upload **Web Shells**, leading to full server compromise, data theft, and site defacement.

🛡️ **Root Cause**: CWE-434 (Unrestricted Upload of File with Dangerous Type).…

👥 **Affected**: Vendor: **CreedAlly**. <br>📦 **Product**: Bulk Featured Image. <br>📉 **Version**: **1.2.1 and earlier** versions.

🕵️ **Hacker Actions**: Gain **Remote Code Execution (RCE)**. <br>📂 **Data Access**: Read/Write arbitrary files, execute system commands, and potentially take over the entire WordPress installation.

🔐 **Threshold**: **Medium**. <br>📝 **Auth Required**: **PR:H** (High Privileges Required). <br>⚙️ **Config**: UI:N (No User Interaction). Requires authenticated access to the WordPress admin/dashboard.

📜 **Public Exploit**: **No** public PoC or wild exploitation detected in the provided data. <br>⚠️ **Risk**: Despite no public code, the CVSS score is **Critical (9.8)**, indicating high theoretical exploitability.

🔍 **Self-Check**: <br>1. Check WordPress Plugins list for **Bulk Featured Image**. <br>2. Verify version is **≤ 1.2.1**. <br>3. Scan for unauthorized PHP files in upload directories.

🛠️ **Fix**: Update the plugin to the latest version immediately. <br>📚 **Reference**: Patchstack database entry confirms the vulnerability and fix availability.

🚧 **Workaround (No Patch)**: <br>1. **Deactivate/Uninstall** the plugin if not essential. <br>2. Restrict file upload permissions in `wp-config.php` or server config. <br>3.…

🔥 **Urgency**: **CRITICAL**. <br>📅 **Priority**: **Immediate Action Required**. <br>💡 **Reason**: CVSS 9.8 score + Web Shell capability = High impact. Do not delay patching.