CVE-2025-12181
BaseFortify
Publication date: 2025-12-05
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wordpress | * |
| contentstudio | contentstudio | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the ContentStudio plugin for WordPress allows authenticated users with Author-level access or higher to upload arbitrary files to the server because the plugin does not properly validate file types in the cstu_update_post() function. This can potentially lead to remote code execution on the affected site.
How can this vulnerability impact me? :
This vulnerability can allow attackers with Author-level access to upload malicious files to your server, which may lead to remote code execution. This can compromise the security and integrity of your website and server, potentially resulting in data breaches, defacement, or further exploitation.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the ContentStudio WordPress plugin to version 1.4.0 or later, as versions up to and including 1.3.7 are vulnerable. Additionally, restrict Author-level access and above to trusted users only, and consider disabling or removing the plugin until a secure version is confirmed. Ensure your WordPress and PHP versions meet the plugin requirements (WordPress 5.8+ and PHP 7.4+). [1]