BEAF < 4.6.11 – Authenticated (Admin+) Arbitrary File Upload | CVE 2025-47549 | Plugin Vulnerabilities

Description

The Ultimate Before After Image Slider & Gallery – BEAF plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 4.6.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

beaf-before-and-after-gallery

Fixed in 4.6.11

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/66559c2a-1c8d-4861-8151-31972982683d

Miscellaneous

Original Researcher

Ryan Kozak

Verified

No

WPVDB ID

26dcfa5d-398e-42ad-affa-868bd5f71fae

Timeline

Publicly Published

2025-05-07 (about 1 year ago)

Added

2025-05-12 (about 1 year ago)

Last Updated

2025-05-12 (about 1 year ago)

Other

Published

Title

Published

2023-12-18

Title

Essential Real Estate < 4.4.0 - Subscriber+ Arbitrary File Upload

Published

2026-04-14

Title

WebStack <= 1.2024 - Unauthenticated Arbitrary File Upload

Published

2014-08-01

Title

Evarisk 5.1.5.4 - include/lib/actionsCorrectives/activite/uploadPhotoApres.php File Upload PHP Code Execution

Published

2025-06-10

Title

WordPress Automatic Plugin - AI content generator and auto poster plugin < 3.116.0 - Authenticated (Author+) Arbitrary File Upload

Published

2026-03-03

Title

Keenarch < 2.0.1 - Authenticated (Subscriber+) Arbitrary File Upload