CVE-2025-4413: 
WordPress vulnerability analysis and mitigation

The Pixabay Images plugin for WordPress contains an arbitrary file upload vulnerability (CVE-2025-4413) discovered in June 2025. This vulnerability affects all versions up to and including 3.4, where the pixabay_upload function lacks proper file type validation. The issue allows authenticated users with Author-level privileges or higher to upload arbitrary files to the affected WordPress site's server (NVD, Wiz).

The vulnerability stems from insufficient file type validation in the pixabay_upload function. The issue has been classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The CVSS v3.1 score is 8.8 HIGH with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a high severity level (NVD, Wiz).

The vulnerability enables authenticated attackers with Author-level access or higher to upload arbitrary files to the server, potentially leading to remote code execution. This could result in complete compromise of the affected WordPress installation (NVD).

Users should upgrade to a version newer than 3.4 once available. In the meantime, it is recommended to restrict Author and Editor role assignments to trusted users only and monitor file uploads closely (Wiz).