CVE-2025-14045
Unauthorized Safe File Upload in WordPress URL Media Uploader Plugin
Publication date: 2025-12-12
Last updated on: 2025-12-15
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wordpress | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the URL Media Uploader plugin for WordPress allows authenticated users with Contributor-level access or higher to upload safe media files without proper authorization checks. This happens because the url_media_uploader_url_upload_ajax_handler() function lacks a capability check, enabling these users to perform uploads they might not otherwise be permitted to do.
How can this vulnerability impact me? :
This vulnerability could allow users with Contributor-level access or above to upload media files without proper authorization, potentially leading to unauthorized content being added to the WordPress site. While the files must be safe media files, this could still lead to content integrity issues or misuse of upload functionality.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the WordPress site is running the URL Media Uploader plugin version 1.0.1 or earlier and if authenticated users with Contributor-level access or higher can upload media files via the plugin's AJAX handler without proper capability checks. Detection can involve monitoring AJAX POST requests to the endpoint handling url_media_uploader_url_upload_ajax_handler and verifying if unauthorized uploads occur. A practical approach is to inspect AJAX requests in the browser developer console or server logs for POST requests containing media URLs submitted by users with Contributor roles. Additionally, you can check the plugin version installed. Specific commands are not provided in the resources, but you can use WordPress CLI to check plugin versions and roles, and monitor HTTP requests via server logs or tools like tcpdump or Wireshark for suspicious AJAX POST requests to the plugin's upload handler. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the URL Media Uploader plugin to version 1.0.1 or later, which includes fixes for this vulnerability. If updating is not immediately possible, implement a capability check in the plugin's AJAX handler function `url_media_uploader_url_upload_ajax_handler()` to verify that the authenticated user has the `upload_files` capability before processing uploads. This can be done by adding the following code after nonce verification: `if (!current_user_can('upload_files')) { wp_send_json_error(array('message' => 'You do not have permission to upload files.')); return; }`. Additionally, monitor and restrict Contributor-level users from uploading media files until the patch is applied. Ensure nonce verification is enabled to prevent CSRF attacks. These steps prevent unauthorized media uploads and privilege escalation. [2]