External risk intelligence

PT Luxa Addons Subscriber Arbitrary File Upload Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2025-60218

A critical arbitrary file upload vulnerability exists in PT Luxa Addons, potentially allowing authenticated attackers to compromise affected websites. This issue, rated critical, could impact system integrity and availability if exploited.

Unrestricted File Upload

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

The vulnerability affects a WordPress plugin, which is a type of web application component typically deployed on public-facing web servers. As an arbitrary file upload flaw in a plugin used for website functionality, it is commonly accessible via the public internet as part of the web application's standard request processing.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability in PT Luxa Addons allows for arbitrary file uploads, which could enable an attacker to compromise websites running this plugin. Given its network-exploitability and critical severity, understanding its presence within our environment is important for maintaining security.

  • File upload flaw lets attackers upload unauthorized files.
  • Critical impact means potential for significant compromise.
  • Confirm if this plugin is used to assess risk.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by uploading a malicious file to a website that uses the affected plugin. This could lead to the attacker gaining control of the website or its server, potentially resulting in data theft or disruption of services.

  • Requires authenticated access.
  • Upload a crafted file to trigger.
  • Remote code execution and site takeover.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an authenticated attacker to upload arbitrary files to the server when supported by the advisory's conditions. This may affect the integrity and availability of the affected system.

  • Server files and system integrity at risk.
  • Arbitrary file upload via authenticated access.
  • Potential for system compromise and data alteration.

Operational Fix

Recommended remediation, mitigation, and detection steps

The critical arbitrary file upload vulnerability in PT Luxa Addons impacts organizations using this plugin on their WordPress sites. Ownership likely falls to the application or platform team responsible for the WordPress instance, with coordination from the security team for risk assessment and vendor management if the plugin is third-party. The immediate first step is to identify all deployments, assess their exposure, and confirm the business criticality of affected systems to prioritize remediation.

  • Identify affected applications and owners.
  • Verify public exposure and business criticality.
  • Plan vendor coordination and risk mitigation.

Supplementary metadata

PCI scan relevance

Yes

CVE-2025-60218 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability involves an arbitrary file upload, which is a critical security flaw that can lead to a complete system compromise. Such vulnerabilities are typically flagged as automatic failures in PCI ASV scans and require remediation.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the PT Luxa Addons plugin?

PT Luxa Addons is a software component designed for WordPress sites to extend standard functionality. Users install such plugins to add features like custom layouts, widgets, or interface enhancements to their web pages. Because it integrates directly into the WordPress ecosystem, it runs as part of the host web server's application stack, handling requests and processing data provided by visitors or registered site users.

What does CWE-434 mean regarding CVE-2025-60218?

CWE-434 refers to Unrestricted Upload of File with Dangerous Type. In the context of CVE-2025-60218, it means the plugin lacks sufficient checks to verify the type, content, or extension of files being uploaded. Instead of limiting uploads to safe, expected file formats, the system allows the submission of files that could contain malicious scripts or executable code.

How is this vulnerability triggered?

An attacker triggers this flaw by successfully uploading a crafted file through the plugin's interface. This requires the attacker to have an active, authenticated account on the WordPress site. Simply browsing the site or sending public requests without valid credentials will not trigger the bug, as the underlying code path relies on a user session to process the file submission request.

Why is this considered an external risk?

Halo Surface Signal identifies this as an external risk because the plugin functions as part of a web application typically hosted on public-facing servers. Since the upload functionality is reachable through standard web traffic, an attacker does not need internal network access to attempt the exploit. If your instance is connected to the internet, it is inherently positioned to receive these malicious requests.

What should I do if I use this plugin?

First, verify if your WordPress instances have PT Luxa Addons version 1.2.2 or older installed. Once identified, evaluate the necessity of the plugin and restrict access to the affected features if possible. Coordinate with your application administrators to monitor for suspicious file uploads and check official vendor channels for an update that addresses the file validation weakness.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished