Introduction
Attackers can gain remote code execution on WordPress sites running BerqWP simply by uploading a malicious file, no authentication required. This flaw impacts a widely used performance optimization plugin, putting many production websites at risk of full compromise if left unpatched.
BerqWP is an all-in-one WordPress plugin for automated page speed optimization, integrating caching, CDN, image, CSS, and JavaScript enhancements. It is used by a substantial number of WordPress sites seeking to improve Core Web Vitals and overall performance. The plugin's broad adoption and integration with critical site performance workflows make vulnerabilities in its codebase especially impactful for the WordPress ecosystem.
Technical Information
CVE-2025-7443 is an arbitrary file upload vulnerability in the BerqWP plugin, specifically affecting the store_javascript_cache.php
endpoint. This endpoint is designed to cache JavaScript files as part of the plugin's optimization process. However, it lacks any file type validation, allowing attackers to upload files of any type—including executable scripts—directly to the server.
The root cause is the absence of checks on file extensions and MIME types in the file upload logic. As a result, an unauthenticated attacker can send a crafted HTTP POST request to the vulnerable endpoint with a payload containing a malicious file (for example, a PHP web shell). Since the uploaded file is stored in a web-accessible directory, the attacker can then access and execute it remotely, achieving arbitrary code execution on the server.
This issue is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability affects all plugin installations up to and including version 2.2.42. The lack of authentication and the unrestricted nature of the upload make exploitation trivial and highly impactful.
Relevant code and endpoint references:
Affected Systems and Versions
- Product: BerqWP – Automated All-In-One Page Speed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript (WordPress plugin)
- Affected versions: All versions up to and including 2.2.42
- Vulnerable endpoint:
store_javascript_cache.php
- No authentication required for exploitation
Vendor Security History
- Previous arbitrary file upload vulnerability in BerqWP version 1.7.6 (Wordfence advisory)
- Recurring issues with file upload handling and input validation
- Active development cycle but multiple security flaws over time