CVE-2025-3914: 
WordPress vulnerability analysis and mitigation

The Aeropage Sync for Airtable plugin for WordPress contains a vulnerability (CVE-2025-3914) discovered and disclosed on April 26, 2025. The vulnerability affects all versions up to and including 3.2.0, where missing file type validation in the 'aeropagemediadownloader' function allows authenticated attackers with Subscriber-level access or higher to upload arbitrary files to the affected site's server (NVD, Wiz).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The security flaw stems from insufficient validation of file types in the 'aeropagemediadownloader' function, which fails to properly restrict the types of files that can be uploaded (NVD).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to upload arbitrary files to the affected site's server. This capability could potentially be leveraged to achieve remote code execution on the target system, giving attackers significant control over the compromised WordPress installation (NVD, Wiz).

The vulnerability has been patched in version 3.3.0 of the plugin. Site administrators are strongly advised to update to this version immediately. The update includes security fixes that prevent unauthorized users from uploading files without restriction (WordPress Plugin).