Make Connector < 1.6.0 – Authenticated (Administrator+) Arbitrary File Upload | CVE 2025-6085 | Plugin Vulnerabilities

Description

The Make Connector plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'upload_media' function in all versions up to, and including, 1.5.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

integromat-connector

Fixed in 1.6.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c53c322a-b197-4ece-ae4a-a3a86a009e4d

Miscellaneous

Original Researcher

Ryan Kozak

Verified

No

WPVDB ID

3dc9ceda-f590-4393-ae17-f1afbb08e81c

Timeline

Publicly Published

2025-09-03 (about 9 months ago)

Added

2025-09-03 (about 9 months ago)

Last Updated

2025-09-19 (about 9 months ago)

Other

Published

Title

Published

2026-04-07

Title

DSGVO Google Web Fonts GDPR <= 1.1 - Unauthenticated Arbitrary File Upload via 'fonturl' Parameter

Published

2025-03-20

Title

Instant Appointment <= 1.2 - Unauthenticated Arbitrary File Upload

Published

2025-10-23

Title

WooCommerce Designer Pro <= 1.9.26 - Unauthenticated Arbitrary File Upload

Published

2024-10-04

Title

Hash Form - Drag & Drop Form Builder < 1.2.0 - Unauthenticated Limited File Upload

Published

2024-08-05

Title

CRM Perks Forms < 1.1.4 - Authenticated (Administrator+) Arbitrary File Upload