Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2018-25335 -- CVSS 9.8 Vulnerability Briefing

CVE-2018-25335 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2018-25335 is an arbitrary file upload vulnerability in the WordPress plugin Peugeot Music version 1.0, affecting the plugin's upload.php endpoint which accepts unauthenticated file upload requests.

Technical Detail

The flaw exists because the upload.php endpoint performs no authentication check and imposes no effective restriction on the type or content of files submitted via HTTP POST requests. An unauthenticated remote attacker can upload a malicious file, such as a PHP web shell, directly to the server. Successful exploitation results in remote code execution (RCE) under the web server process context, granting the attacker the ability to execute arbitrary commands, access sensitive data, or pivot further into the hosting environment.

Exploitation Status

No known exploit has been publicly documented or confirmed for this vulnerability at this time. It is not listed in the CISA Known Exploited Vulnerabilities catalog. Despite the critical CVSS score of 9.8, there is no evidence of active exploitation, proof-of-concept code, or weaponized tooling in circulation as of the date of this briefing.

Who Is Targeting This

No specific threat actor attribution at this time. Neither confirmed nor reported threat actor activity has been associated with this vulnerability.

What To Do

The Peugeot Music plugin version 1.0 should be removed from any WordPress installation immediately, as no patched version is known to be available and the plugin appears to be abandoned. If removal is not immediately possible, restrict web server access to the upload.php file via server-level configuration rules or a web application firewall rule blocking POST requests to that endpoint. Site administrators should audit their web root and upload directories for any recently placed PHP files or web shells that may indicate prior compromise. Given the unauthenticated nature of the attack vector and the critical severity rating, this plugin should be treated as a high-priority remediation item on any internet-facing WordPress installation.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →