CVE-2025-12153 Overview
CVE-2025-12153 is an arbitrary file upload vulnerability in the Featured Image via URL plugin for WordPress. The flaw affects all versions up to and including 0.1. The plugin lacks a file type validation function, allowing authenticated users with Contributor-level access or above to upload arbitrary files to the server. Successful exploitation can lead to remote code execution on the affected WordPress site. The vulnerability is classified under CWE-434: Unrestricted Upload of File with Dangerous Type.
Critical Impact
Authenticated attackers with Contributor privileges can upload arbitrary files, including PHP webshells, enabling remote code execution and full site compromise.
Affected Products
- WordPress Featured Image via URL plugin versions <= 0.1
- WordPress sites with Contributor-level or higher user accounts enabled
- Self-hosted WordPress installations using the affected plugin
Discovery Timeline
- 2025-12-05 - CVE-2025-12153 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-12153
Vulnerability Analysis
The Featured Image via URL plugin exposes a file upload mechanism that fails to validate the type of uploaded files. The plugin's intended purpose is to assign featured images to posts using external URLs, but the underlying upload handler accepts arbitrary file content. Without MIME or extension checks, attackers can submit executable PHP files or other server-interpreted content. Once written to a web-accessible directory, the attacker requests the file to trigger code execution. The attack requires only Contributor-level authentication, a low bar given WordPress sites commonly provision such accounts for guest writers.
Root Cause
The root cause is the absence of a file type validation routine in the plugin's upload handler. WordPress provides functions such as wp_check_filetype() and wp_handle_upload() with $overrides to restrict allowed MIME types, but the plugin does not invoke these safeguards. As a result, the server stores any submitted file regardless of extension or content type.
Attack Vector
An attacker first authenticates to the target WordPress site with Contributor or higher privileges. The attacker then issues an authenticated HTTP POST request to the plugin's upload endpoint, supplying a malicious file such as a PHP webshell. The server saves the file in the uploads directory. The attacker then requests the file directly via HTTP, causing the PHP interpreter to execute the payload and grant arbitrary code execution under the web server's user context.
No verified exploit code has been published. Refer to the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2025-12153
Indicators of Compromise
- Unexpected files with .php, .phtml, or .phar extensions in wp-content/uploads/ directories
- Outbound network connections initiated by the web server process to unknown hosts
- New or modified administrator accounts following Contributor account activity
- Web server access logs showing direct GET requests to uploaded files in plugin-managed directories
Detection Strategies
- Monitor WordPress audit logs for file upload activity originating from Contributor-level accounts
- Inspect uploaded file content against expected MIME types rather than relying solely on extensions
- Deploy web application firewall rules that block uploads of executable file types to WordPress plugin endpoints
- Compare installed plugin versions against the vulnerable version 0.1 to identify exposed sites
Monitoring Recommendations
- Enable file integrity monitoring on the wp-content/uploads/ directory tree
- Alert on creation of script files within directories normally containing only media assets
- Review user role assignments and remove Contributor-or-higher access from untrusted accounts
- Centralize WordPress logs in a SIEM and correlate authentication events with upload activity
How to Mitigate CVE-2025-12153
Immediate Actions Required
- Deactivate and remove the Featured Image via URL plugin until a patched version is available
- Audit all Contributor-level and higher accounts and remove any unauthorized users
- Scan the wp-content/uploads/ directory for unexpected script files and remove malicious content
- Rotate WordPress administrator credentials and invalidate active sessions if compromise is suspected
Patch Information
At the time of NVD publication, all versions up to and including 0.1 of the Featured Image via URL plugin are affected. Site administrators should monitor the WordPress Plugin Repository for an updated release that introduces file type validation.
Workarounds
- Restrict PHP execution in the wp-content/uploads/ directory using web server configuration rules
- Limit user registration and avoid granting Contributor or higher roles to untrusted users
- Deploy a web application firewall with rules that block executable file uploads to plugin endpoints
- Enforce least privilege on the web server process to limit the impact of code execution
# Apache: deny PHP execution within the uploads directory
# Place this in wp-content/uploads/.htaccess
<FilesMatch "\.(php|phtml|phar|php[0-9])$">
Require all denied
</FilesMatch>
# Nginx: deny PHP execution within the uploads directory
# Add to the server block
location ~* /wp-content/uploads/.*\.(php|phtml|phar|php[0-9])$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
