How ZeroPath Works
Back to Blog

Flex QR Code Generator CVE-2025-10041: Brief Summary of Critical Arbitrary File Upload Vulnerability

This post provides a brief summary of CVE-2025-10041, a critical arbitrary file upload vulnerability in the Flex QR Code Generator WordPress plugin up to version 1.2.5. It covers technical details, affected versions, and vendor history based on available public sources.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-15

Flex QR Code Generator CVE-2025-10041: Brief Summary of Critical Arbitrary File Upload Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers can gain remote code execution on WordPress sites by uploading arbitrary files through the Flex QR Code Generator plugin. This vulnerability, tracked as CVE-2025-10041, affects all plugin versions up to and including 1.2.5 and does not require authentication, making it a high-risk issue for any site running the affected software.

Flex QR Code Generator is a third-party WordPress plugin used to generate QR codes for content and e-commerce applications. It is distributed via the official WordPress plugin repository and has a moderate user base. The plugin was closed by WordPress.org on October 14, 2025, following the disclosure of this vulnerability.

Technical Information

CVE-2025-10041 is caused by missing file type validation in the save_qr_code_to_db() function, located in qr-code-generator.php at line 208. This function is responsible for handling file uploads as part of the QR code generation workflow. Due to the lack of validation, attackers can upload files with arbitrary extensions and content types, including executable PHP scripts.

The vulnerability can be exploited remotely and does not require any authentication. Attackers can send a crafted HTTP request to the vulnerable endpoint, resulting in the upload of a malicious file to the server. Once uploaded, the attacker can access the file directly via the web server, leading to remote code execution.

The root cause is a failure to restrict file types and verify file content before saving uploads. This aligns with CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerable code is publicly referenced in the plugin's source:

qr-code-generator.php#L208

No authentication or special permissions are required for exploitation, and the attack can be performed over the network.

Affected Systems and Versions

  • Product: Flex QR Code Generator plugin for WordPress
  • Affected versions: All versions up to and including 1.2.5
  • Vulnerable in default configuration

Vendor Security History

The plugin is developed by 'ajitdas' (Devs Brain) and distributed via the official WordPress plugin repository. The plugin was closed by WordPress.org as of October 14, 2025, due to unresolved security issues. There is no evidence of a timely patch response for this vulnerability. No prior information is available about the vendor's security maturity or history of similar issues.

References

Detect & fix
what others miss

Get startedBook a demo