CVE-2025-39436 CRITICAL

CVE-2025-39436: WordPress I Draw <= 1.0 - Arbitrary File Upload Vulnerability

Vendor Aidraw
Product I Draw
Weakness CWE-434 · Unrestricted file upload
Published April 17, 2025
Last update April 28, 2026

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Unrestricted Upload of File with Dangerous Type vulnerability in aidraw I Draw idraw allows Using Malicious Files.This issue affects I Draw: from n/a through <= 1.0.

Explanation of Vulnerability in Simple Terms

02Summary

I Draw versions 1.0 and earlier contain an unrestricted file upload vulnerability. An authenticated administrator can upload arbitrary files to the server, potentially including executable code. The vulnerability affects confidentiality, integrity, and availability of the site. Update to a version newer than 1.0 when available.

What an attacker can do

03Attacker Capabilities

Upload arbitrary files, including executable code, to the server.

Potential impact on your site

04Site Impact

An admin account compromise could lead to full site takeover through malicious file uploads.

Conditions required to exploit

05Prerequisites

Attacker must have administrator-level access to the application.

Key dates

06Disclosure timeline

April 17, 2025 CVE published
April 28, 2026 Record updated