CVE-2025-9212
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-03

Last updated on: 2025-10-06

Assigner: Wordfence

Description
The WP Dispatcher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wp_dispatcher_process_upload() function in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The directory does have an .htaccess file which limits the ability to achieve remote code execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-03
Last Modified
2025-10-06
Generated
2026-06-16
AI Q&A
2025-10-03
EPSS Evaluated
2026-06-15
NVD
CVE-2025-9212
EUVD
EUVD-2025-32513
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordfence wp_dispatcher *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the WP Dispatcher plugin for WordPress, where the function wp_dispatcher_process_upload() does not properly validate file types. This allows authenticated users with Subscriber-level access or higher to upload arbitrary files to the server hosting the WordPress site. Although there is an .htaccess file that limits remote code execution, the vulnerability could still potentially allow attackers to execute malicious code remotely.

Impact Analysis

If exploited, this vulnerability can allow an attacker with low-level authenticated access to upload arbitrary files, which may lead to remote code execution on the server. This can compromise the security and integrity of the affected website, potentially leading to data breaches, defacement, or further exploitation of the server.

Mitigation Strategies

To mitigate this vulnerability, immediately update the WP Dispatcher plugin to a version later than 1.2.0 where the issue is fixed. Additionally, restrict or review user permissions to limit Subscriber-level access and above from uploading files until the update is applied. Consider implementing additional file upload validation or security measures on your server to prevent arbitrary file uploads.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9212. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart