CVE-2025-30580 (GCVE-0-2025-30580)
Vulnerability from cvelistv5 – Published: 2025-04-01 20:58 – Updated: 2026-04-28 16:11
VLAI?
Title
WordPress DigiWidgets Image Editor plugin <= 1.10 - Remote Code Execution (RCE) Vulnerability
Summary
Improper Control of Generation of Code ('Code Injection') vulnerability in kellydiek DigiWidgets Image Editor digiwidgets-image-editor allows Remote Code Inclusion.This issue affects DigiWidgets Image Editor: from n/a through <= 1.10.
Severity ?
10 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| kellydiek | DigiWidgets Image Editor |
Affected:
0 , ≤ 1.10
(custom)
|
Date Public ?
2026-04-01 16:36
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30580",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-02T13:33:58.449973Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-02T14:21:49.656Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "digiwidgets-image-editor",
"product": "DigiWidgets Image Editor",
"vendor": "kellydiek",
"versions": [
{
"lessThanOrEqual": "1.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "0xd4rk5id3 | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:36:08.583Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in kellydiek DigiWidgets Image Editor digiwidgets-image-editor allows Remote Code Inclusion.\u003cp\u003eThis issue affects DigiWidgets Image Editor: from n/a through \u003c= 1.10.\u003c/p\u003e"
}
],
"value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in kellydiek DigiWidgets Image Editor digiwidgets-image-editor allows Remote Code Inclusion.This issue affects DigiWidgets Image Editor: from n/a through \u003c= 1.10."
}
],
"impacts": [
{
"capecId": "CAPEC-253",
"descriptions": [
{
"lang": "en",
"value": "Remote Code Inclusion"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:11:54.515Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/digiwidgets-image-editor/vulnerability/wordpress-digiwidgets-image-editor-1-10-remote-code-execution-rce-vulnerability?_s_id=cve"
}
],
"title": "WordPress DigiWidgets Image Editor plugin \u003c= 1.10 - Remote Code Execution (RCE) Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-30580",
"datePublished": "2025-04-01T20:58:06.500Z",
"dateReserved": "2025-03-24T13:00:24.105Z",
"dateUpdated": "2026-04-28T16:11:54.515Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-30580",
"date": "2026-05-12",
"epss": "0.00502",
"percentile": "0.66185"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-30580\",\"sourceIdentifier\":\"audit@patchstack.com\",\"published\":\"2025-04-01T21:15:44.590\",\"lastModified\":\"2026-04-23T15:26:54.280\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in kellydiek DigiWidgets Image Editor digiwidgets-image-editor allows Remote Code Inclusion.This issue affects DigiWidgets Image Editor: from n/a through \u003c= 1.10.\"},{\"lang\":\"es\",\"value\":\"La vulnerabilidad de control inadecuado de la generaci\u00f3n de c\u00f3digo (\u0027Inyecci\u00f3n de c\u00f3digo\u0027) en NotFound DigiWidgets Image Editor permite la inclusi\u00f3n remota de c\u00f3digo. Este problema afecta al editor de im\u00e1genes DigiWidgets desde n/d hasta la versi\u00f3n 1.10.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"audit@patchstack.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"audit@patchstack.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"references\":[{\"url\":\"https://patchstack.com/database/Wordpress/Plugin/digiwidgets-image-editor/vulnerability/wordpress-digiwidgets-image-editor-1-10-remote-code-execution-rce-vulnerability?_s_id=cve\",\"source\":\"audit@patchstack.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-30580\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-02T13:33:58.449973Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-02T13:34:06.545Z\"}}], \"cna\": {\"title\": \"WordPress DigiWidgets Image Editor plugin \u003c= 1.10 - Remote Code Execution (RCE) Vulnerability\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"0xd4rk5id3 | Patchstack Bug Bounty Program\"}], \"impacts\": [{\"capecId\": \"CAPEC-253\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"Remote Code Inclusion\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 10, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"kellydiek\", \"product\": \"DigiWidgets Image Editor\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"1.10\"}], \"packageName\": \"digiwidgets-image-editor\", \"collectionURL\": \"https://wordpress.org/plugins\", \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-04-22T14:30:56.062Z\", \"references\": [{\"url\": \"https://patchstack.com/database/Wordpress/Plugin/digiwidgets-image-editor/vulnerability/wordpress-digiwidgets-image-editor-1-10-remote-code-execution-rce-vulnerability?_s_id=cve\", \"tags\": [\"vdb-entry\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in kellydiek DigiWidgets Image Editor digiwidgets-image-editor allows Remote Code Inclusion.This issue affects DigiWidgets Image Editor: from n/a through \u003c= 1.10.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in kellydiek DigiWidgets Image Editor digiwidgets-image-editor allows Remote Code Inclusion.\u003cp\u003eThis issue affects DigiWidgets Image Editor: from n/a through \u003c= 1.10.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"21595511-bba5-4825-b968-b78d1f9984a3\", \"shortName\": \"Patchstack\", \"dateUpdated\": \"2026-04-23T14:06:14.987Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-30580\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-23T14:06:14.987Z\", \"dateReserved\": \"2025-03-24T13:00:24.105Z\", \"assignerOrgId\": \"21595511-bba5-4825-b968-b78d1f9984a3\", \"datePublished\": \"2025-04-01T20:58:06.500Z\", \"assignerShortName\": \"Patchstack\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…