CVE-2025-12637
BaseFortify
Publication date: 2025-11-11
Last updated on: 2025-11-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | elastic_theme_editor | 0.0.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can allow attackers with low-level authenticated access to upload malicious files to your server, which may lead to remote code execution. This can compromise the security of your website, potentially allowing attackers to take control, steal data, deface the site, or use the server for further attacks.
Can you explain this vulnerability to me?
The vulnerability in the Elastic Theme Editor plugin for WordPress allows authenticated users with Subscriber-level access or higher to upload arbitrary files to the server. This is due to a dynamic code generation feature in the process_theme function in versions up to 0.0.3. Such arbitrary file uploads can potentially lead to remote code execution on the affected site.