CVE-2025-12154
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| modern_tribe | auto_thumbnailer | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or removing the Auto Thumbnailer plugin from your WordPress installation, as it has been closed and removed from download availability pending a full security review. Additionally, restrict Contributor-level and higher user permissions until a patched version is available to prevent arbitrary file uploads. [1]
How can this vulnerability impact me? :
An attacker with Contributor-level access or above can upload malicious files to your server, which may lead to remote code execution. This can compromise the security of your website, allowing unauthorized control, data theft, defacement, or further attacks.
Can you explain this vulnerability to me?
This vulnerability in the Auto Thumbnailer plugin for WordPress allows authenticated users with Contributor-level access or higher to upload arbitrary files to the server because the plugin's uploadThumb() function does not properly validate file types. This can potentially lead to remote code execution on the affected site.