CVE-2025-9212
BaseFortify
Publication date: 2025-10-03
Last updated on: 2025-10-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | wp_dispatcher | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the WP Dispatcher plugin for WordPress, where the function wp_dispatcher_process_upload() does not properly validate file types. This allows authenticated users with Subscriber-level access or higher to upload arbitrary files to the server hosting the WordPress site. Although there is an .htaccess file that limits remote code execution, the vulnerability could still potentially allow attackers to execute malicious code remotely.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker with low-level authenticated access to upload arbitrary files, which may lead to remote code execution on the server. This can compromise the security and integrity of the affected website, potentially leading to data breaches, defacement, or further exploitation of the server.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the WP Dispatcher plugin to a version later than 1.2.0 where the issue is fixed. Additionally, restrict or review user permissions to limit Subscriber-level access and above from uploading files until the update is applied. Consider implementing additional file upload validation or security measures on your server to prevent arbitrary file uploads.