CVE-2025-12138: WordPress URL Image Importer RCE Flaw

CVE-2025-12138 Overview

CVE-2025-12138 is an arbitrary file upload vulnerability in the URL Image Importer plugin for WordPress, affecting all versions up to and including 1.0.6. The plugin's uimptr_import_image_from_url() function validates uploads using the user-controlled Content-Type HTTP header and writes the file to disk before performing proper validation. Authenticated attackers with Author-level access or above can upload arbitrary files, including PHP scripts, leading to remote code execution on the affected server. The flaw is categorized under CWE-434: Unrestricted Upload of File with Dangerous Type.

Critical Impact

Authenticated Author-level attackers can upload PHP files and achieve remote code execution on the WordPress server.

Affected Products

• URL Image Importer plugin for WordPress, all versions through 1.0.6
• WordPress sites granting Author-level or higher accounts to untrusted users
• Web servers hosting vulnerable installations with PHP execution enabled in upload directories

Discovery Timeline

• 2025-11-21 - CVE-2025-12138 published to NVD
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-12138

Vulnerability Analysis

The URL Image Importer plugin allows users to import remote images by supplying a URL. The plugin retrieves the remote resource and stores it in the WordPress uploads directory. The vulnerability stems from how the plugin determines whether the retrieved resource is a permitted image type.

Instead of inspecting the file contents or enforcing an allowlist of extensions, the plugin trusts the Content-Type header returned by the remote server. An attacker controls both the URL and the remote server, so they can return any Content-Type value such as image/png while serving arbitrary payload data. The plugin writes this payload to disk in the uploads directory before any validation occurs, leaving a malicious file persisted on the server even if a later check were to fail.

The attack requires authenticated access at Author level or above, which limits casual exploitation but is well within reach of compromised contributor accounts, multi-author sites, and membership communities. Successful exploitation typically results in remote code execution because PHP files written under the WordPress uploads path are executable in default configurations.

Root Cause

The root cause is reliance on a user-controlled HTTP header for security decisions, combined with write-before-validate logic in uimptr_import_image_from_url(). The plugin does not verify file magic bytes, does not restrict extensions, and does not enforce a server-side MIME allowlist tied to actual content inspection.

Attack Vector

An authenticated attacker hosts a PHP webshell on an attacker-controlled server configured to respond with an image Content-Type header. The attacker then uses the plugin's import functionality to supply the URL of that file. The plugin fetches the file, accepts the spoofed Content-Type, and writes the payload to the WordPress uploads directory with an attacker-influenced filename. The attacker then requests the stored file directly through the web server to trigger PHP execution.

For specific source lines, see the vulnerable code in url-image-importer.php at line 1319 and the Wordfence Vulnerability Analysis.

Detection Methods for CVE-2025-12138

Indicators of Compromise

• Files with PHP extensions or double extensions such as .php, .phtml, or .jpg.php present under wp-content/uploads/
• Outbound HTTP requests from the WordPress host to unfamiliar external URLs initiated by the plugin import workflow
• WordPress activity logs showing image imports performed by Author-level accounts with non-image source URLs
• Web server access logs showing direct GET or POST requests to files within wp-content/uploads/ returning HTTP 200 with dynamic responses

Detection Strategies

• Scan the uploads directory for files whose contents do not match their declared extension using magic-byte inspection
• Alert on creation of executable script files within wp-content/uploads/ and its subdirectories
• Monitor WordPress usermeta and audit logs for unusual use of the URL Image Importer plugin by lower-privilege accounts
• Correlate plugin import events with outbound network connections to non-CDN, non-allowlisted hosts

Monitoring Recommendations

• Enable file integrity monitoring on the WordPress installation, focusing on wp-content/uploads/ and plugin directories
• Forward web server access logs and PHP error logs to a central SIEM and alert on script execution from upload paths
• Track plugin version inventory across WordPress estates to identify installations still running URL Image Importer 1.0.6 or earlier

How to Mitigate CVE-2025-12138

Immediate Actions Required

• Disable or remove the URL Image Importer plugin until a patched release is installed and verified
• Audit all Author-level and higher accounts, remove unused accounts, and rotate credentials for any account that may be compromised
• Inspect wp-content/uploads/ for unexpected PHP files and remove any malicious artifacts found
• Restrict outbound HTTP requests from the WordPress host to known-good destinations where feasible

Patch Information

Review the WordPress plugin changeset for the fix applied to uimptr_import_image_from_url(). Upgrade to a release published after changeset 3395852 and confirm the installed version is greater than 1.0.6 before re-enabling the plugin.

Workarounds

• Block PHP execution within wp-content/uploads/ using a web server configuration directive that denies handler mapping for script extensions
• Limit the Author role to trusted users only, or temporarily downgrade Author-level accounts to Contributor until the plugin is patched
• Place the WordPress site behind a web application firewall with rules that inspect uploaded file content rather than declared MIME type

# Apache example: disable PHP execution inside wp-content/uploads
# Place this in wp-content/uploads/.htaccess
<FilesMatch "\.(php|phtml|phar|php3|php4|php5|php7|phps)$">
    Require all denied
</FilesMatch>

# Nginx equivalent: add to the server block
location ~* /wp-content/uploads/.*\.(php|phtml|phar)$ {
    deny all;
    return 403;
}