CVE-2025-3917: 
WordPress vulnerability analysis and mitigation

The 百度站长SEO合集(支持百度/神马/Bing/头条推送) WordPress plugin contains a critical vulnerability (CVE-2025-3917) discovered on May 14, 2025, affecting all versions up to and including 2.0.6. The vulnerability allows unauthenticated attackers to perform arbitrary file uploads due to missing file type validation in the downloadremoteimagetomedia_library function (NVD, Wiz).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The security flaw is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability exists in the downloadremoteimagetomedia_library function, which fails to properly validate file types during the upload process (Wiz).

The vulnerability allows unauthenticated attackers to upload arbitrary files to the affected site's server, potentially leading to remote code execution. This could result in complete system compromise, allowing attackers to gain full control over the affected WordPress installation (NVD).

The plugin has been temporarily closed as of May 13, 2025, pending a full security review. Users are advised to remove the plugin until a patched version is available (WordPress).