CVE-2025-6085: 
WordPress vulnerability analysis and mitigation

The Make Connector plugin for WordPress contains an arbitrary file upload vulnerability (CVE-2025-6085) in versions up to and including 1.5.10. The vulnerability was discovered and disclosed on September 4, 2025. The issue affects the 'upload_media' function in the plugin, which fails to properly validate file types before uploading them to the server (NVD, Researcher Blog).

The vulnerability exists in the /wp-content/integromat-connector/class/class-rest-request.php file where the upload_media() function copies uploaded files to a browsable directory before performing mime type validation. Specifically, the file is copied on line 74 before the mime type check occurs on lines 90-95, allowing attackers to bypass the intended file type restrictions. The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD).

This vulnerability allows authenticated attackers with Administrator-level access to upload arbitrary files to the affected site's server, potentially enabling remote code execution. The ability to upload malicious files to a browsable directory gives attackers a pathway to execute arbitrary code in the context of the web server (NVD, Researcher Blog).