← back
CVE-2025-23922

WordPress iSpring Embedder plugin <= 1.0 - CSRF to Arbitrary File Upload vulnerability

CVSS 10 CRITICALEPSS 1.0%CWE-352
Cross-Site Request Forgery (CSRF) vulnerability in Harsh iSpring Embedder embed-ispring allows Upload a Web Shell to a Web Server.This issue affects iSpring Embedder: from n/a through <= 1.0.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
Harsh · iSpring Embedder
public PoCs found1
githubgithub.com/Nxploited/CVE-2025-239222
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://patchstack.com/database/Wordpress/Plugin/embed-ispring/vulnerability/wordpress-ispring-embedder-plugin-1-0-csrf-to-arbitrary-file-upload-vulnerability?_s_id=cve