CVE-2025-9321
BaseFortify
Publication date: 2025-09-23
Last updated on: 2025-09-24
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpcasa | wpcasa | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9321 is a critical security vulnerability in the WPCasa WordPress plugin (versions up to 1.4.1) that allows unauthenticated attackers to perform code injection via the plugin's API. This happens because the 'api_requests' function does not properly validate or restrict input, enabling attackers to call arbitrary functions and execute malicious code. Additionally, there was a related Cross-Site Scripting (XSS) vulnerability in the shortcode '[wpsight_listings_map]'. The vulnerability was fixed in version 1.4.2 by implementing strict input sanitization, output escaping, and enforcing an allow-list of permitted API endpoints to prevent unauthorized code execution. [1, 2]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including allowing attackers to execute arbitrary code on your WordPress site without authentication. This can lead to full site compromise, data theft, defacement, or use of your site as a platform for further attacks. The high CVSS score (9.8) reflects the critical nature of this issue, indicating that the vulnerability can result in complete confidentiality, integrity, and availability loss of the affected system. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized or suspicious API requests to the 'wpsight-api' query variable on your WordPress site. You can check your web server logs for requests containing 'wpsight-api' parameters that are not part of the allowed endpoints. For example, using command-line tools, you can run: 1) To search Apache or Nginx logs for suspicious API calls: `grep 'wpsight-api' /var/log/apache2/access.log` or `grep 'wpsight-api' /var/log/nginx/access.log` 2) To identify unexpected or unauthorized endpoints: `grep 'wpsight-api' /var/log/apache2/access.log | awk -F'wpsight-api=' '{print $2}' | cut -d'&' -f1 | sort | uniq -c | sort -nr` This will show the frequency of requested API endpoints, helping identify unusual or unauthorized usage. Additionally, scanning your WordPress plugin version to confirm if it is at or below 1.4.1 can help detect vulnerable installations. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the WPCasa WordPress plugin to version 1.4.2 or later, where the vulnerability has been fixed. This update includes strict input sanitization, an allow-list for API endpoints, and safe class instantiation to prevent code injection. If updating immediately is not possible, you should restrict access to the 'wpsight-api' endpoint by implementing firewall rules or web server configurations to block unauthorized requests. Additionally, monitor and audit API requests for suspicious activity and consider disabling the plugin temporarily if the risk is high. [1, 2]