CVE-2025-12138
BaseFortify
Publication date: 2025-11-21
Last updated on: 2025-11-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | url_image_importer | 1.0.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the URL Image Importer plugin for WordPress, versions up to and including 1.0.6. It allows authenticated users with Author-level access or higher to upload arbitrary files to the server because the plugin improperly validates file types. It relies on a user-controlled Content-Type HTTP header for validation but writes the file to the server before proper validation occurs. This flaw can enable attackers to upload malicious files, such as PHP scripts, potentially leading to remote code execution on the affected server.
How can this vulnerability impact me? :
The vulnerability can allow attackers with Author-level access or above to upload arbitrary files, including malicious PHP files, to the server. This can lead to remote code execution, compromising the server's security, potentially allowing attackers to execute commands, access sensitive data, or take control of the affected website and its underlying infrastructure.