CVE-2025-5831: 
WordPress vulnerability analysis and mitigation

The Droip plugin for WordPress contains a critical vulnerability (CVE-2025-5831) discovered on July 24, 2025. This vulnerability affects all versions up to and including 2.2.0 of the Droip plugin, which is a no-code website builder for WordPress. The issue stems from missing file type validation in the make_google_font_offline() function (NVD, CISA).

The vulnerability is classified as an arbitrary file upload vulnerability with a CVSS v3.1 base score of 8.8 (HIGH), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue is tracked under CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability exists in the make_google_font_offline() function where file type validation is missing, allowing for unrestricted file uploads (NVD).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to upload arbitrary files to the affected site's server. This capability could potentially lead to remote code execution, giving attackers significant control over the compromised system (NVD, CISA).

Website administrators running the affected versions of the Droip plugin (versions up to and including 2.2.0) should update to a patched version as soon as it becomes available. In the meantime, it's recommended to implement strict access controls and monitor file upload activities closely (NVD).