CVE-2025-12189
BaseFortify
Publication date: 2025-12-05
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| breadbutter | bread_&_butter | to 7.11.1374 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents plugin for WordPress, affecting all versions up to 7.10.1321. It occurs because the uploadImage() function lacks proper nonce validation, allowing unauthenticated attackers to upload arbitrary files by tricking a site administrator into performing an action, such as clicking a malicious link. This can lead to remote code execution on the affected site.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to upload arbitrary files to the WordPress site by exploiting the CSRF flaw, which can lead to remote code execution. This means the attacker could potentially execute malicious code on the server, compromising the website's security and potentially gaining control over the site.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unexpected or unauthorized file uploads to the WordPress uploads directory, especially PHP files such as web shells. Since the exploit involves an AJAX POST request to the endpoint `/wp-admin/admin-ajax.php` with the action `upload_image`, you can inspect web server logs or use network monitoring tools to look for POST requests to this endpoint from administrator sessions. Additionally, checking for the presence of suspicious PHP files in the uploads directory (e.g., `/wp-content/uploads/[year]/[month]/test.php`) can indicate exploitation. Commands to detect suspicious files include: `find wp-content/uploads/ -name '*.php'` to locate PHP files in the uploads directory. To detect suspicious AJAX requests, you can analyze web server logs with commands like `grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'upload_image'` to find relevant POST requests. Monitoring for unusual admin activity or unexpected file uploads can also help detect exploitation attempts. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Update the Bread & Butter WordPress plugin to a version later than 7.10.1321 where this vulnerability is fixed. 2. If an update is not immediately available, restrict access to the AJAX endpoint `/wp-admin/admin-ajax.php` for the `upload_image` action by implementing additional CSRF protections or disabling the vulnerable upload functionality temporarily. 3. Limit administrator access and educate administrators to avoid clicking on suspicious links or visiting untrusted pages while logged in. 4. Scan the uploads directory for any uploaded PHP shells or suspicious files and remove them. 5. Implement Web Application Firewall (WAF) rules to block unauthorized POST requests to the vulnerable AJAX action. 6. Monitor logs for suspicious activity related to file uploads and admin AJAX requests. These steps help prevent exploitation by blocking unauthorized file uploads and reducing the attack surface until a patch is applied. [1, 3]