CVE-2025-6085 Overview
CVE-2025-6085 is an arbitrary file upload vulnerability in the Make Connector plugin for WordPress, developed by Celonis. The flaw exists in the upload_media function due to misconfigured file type validation. All plugin versions up to and including 1.5.10 are affected. Authenticated attackers with Administrator-level access can upload arbitrary files to the affected server. Successful exploitation can lead to remote code execution on the WordPress host. The vulnerability is tracked under [CWE-434] Unrestricted Upload of File with Dangerous Type.
Critical Impact
Authenticated administrators can upload arbitrary files through the Make Connector plugin, enabling remote code execution on the underlying WordPress server.
Affected Products
- Celonis Make Connector for WordPress (versions up to and including 1.5.10)
- WordPress sites with the integromat-connector plugin installed
- Any hosting environment running the vulnerable plugin under the wordpress CPE target
Discovery Timeline
- 2025-09-04 - CVE-2025-6085 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2025-6085
Vulnerability Analysis
The Make Connector plugin exposes a REST endpoint that handles media uploads through the upload_media function inside class-rest-request.php. The function fails to enforce a strict allowlist of permitted file types or validate file content against declared MIME types. As a result, an authenticated administrator can submit a request containing executable PHP content disguised as a media file. WordPress writes the supplied content to a web-accessible directory under wp-content/uploads/, where the web server interprets it. The issue is classified as [CWE-434] Unrestricted Upload of File with Dangerous Type.
Root Cause
The root cause is missing or misconfigured validation of file extensions and MIME types within the upload_media handler. The plugin trusts client-supplied metadata when writing files to disk. Reviewing the plugin source at the referenced lines in class-rest-request.php shows the upload path lacks the wp_check_filetype_and_ext controls that WordPress recommends for media handling.
Attack Vector
The attack requires Administrator-level credentials on the target WordPress instance. Once authenticated, the attacker sends a crafted HTTP request to the plugin's REST endpoint with a malicious payload such as a PHP webshell. After upload, the attacker requests the file directly from its uploads URL, triggering server-side execution. Public proof-of-concept material is available at the GitHub PoC Repository and the Ryan Kozak CVE Analysis. Technical details on the upload path are also documented in the Wordfence Vulnerability Report.
Detection Methods for CVE-2025-6085
Indicators of Compromise
- New PHP, .phtml, or other executable files written under wp-content/uploads/ after Make Connector REST requests
- HTTP POST requests to the integromat-connector REST endpoints containing non-media file extensions
- Outbound connections from the PHP worker process to unexpected hosts after upload activity
- Unexpected administrator account logins preceding upload activity
Detection Strategies
- Audit the WordPress filesystem for executable files inside the uploads directory using integrity monitoring
- Inspect web server access logs for requests to .php files served from wp-content/uploads/
- Correlate WordPress admin login events with REST API calls to the Make Connector plugin
- Compare installed plugin versions against the patched release noted in the WordPress Plugin Change Log
Monitoring Recommendations
- Enable verbose logging on REST API requests targeting /wp-json/integromat-connector/
- Forward web server, PHP-FPM, and WordPress audit logs to a centralized SIEM for correlation
- Alert on creation of new files with executable extensions inside any uploads path
- Monitor for new or modified administrator accounts on affected WordPress sites
How to Mitigate CVE-2025-6085
Immediate Actions Required
- Update the Make Connector plugin to a release later than 1.5.10 as published in the WordPress Plugin Change Log
- Rotate all administrator credentials and enforce multi-factor authentication on WordPress admin accounts
- Inspect wp-content/uploads/ for unauthorized executable files and remove any identified webshells
- Review WordPress and web server logs for prior exploitation activity
Patch Information
Celonis released a fix that adds proper file type validation to the upload_media function. Site operators should upgrade through the WordPress plugin updater or by replacing the plugin directory with the patched release referenced in the WordPress Plugin Change Log. Verify the post-upgrade version inside wp-admin and confirm REST endpoints reject non-media uploads.
Workarounds
- Deactivate and remove the Make Connector plugin until patching is complete
- Restrict access to /wp-admin and the plugin's REST endpoints by source IP at the web server or WAF
- Configure the web server to deny execution of PHP files under wp-content/uploads/
- Apply a WAF rule that blocks file uploads with executable extensions through the plugin's endpoints
# Configuration example: deny PHP execution in WordPress uploads (nginx)
location ~* /wp-content/uploads/.*\.(php|phtml|phar|php7|php8)$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
