Skip to main content
CVE Vulnerability Database

CVE-2025-9112: Doccure WordPress Theme RCE Vulnerability

CVE-2025-9112 is a remote code execution flaw in Doccure WordPress theme that allows authenticated attackers to upload malicious files. This post covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-9112 Overview

CVE-2025-9112 is an arbitrary file upload vulnerability in the Doccure medical theme for WordPress. The flaw resides in the doccure_temp_file_uploader function, which performs incorrect file type validation. All versions up to and including 1.5.0 are affected.

Authenticated attackers with subscriber-level access or higher can upload arbitrary files to the affected site's server. Successful exploitation can lead to remote code execution on the underlying web server. The weakness is classified under CWE-434: Unrestricted Upload of File with Dangerous Type.

Critical Impact

Authenticated subscribers can upload malicious PHP files through doccure_temp_file_uploader, enabling remote code execution and full site compromise.

Affected Products

Discovery Timeline

  • 2025-09-08 - CVE-2025-9112 published to the National Vulnerability Database
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-9112

Vulnerability Analysis

The Doccure theme exposes the doccure_temp_file_uploader AJAX handler for processing user-submitted files. The function fails to enforce a server-side allowlist of safe MIME types and file extensions. As a result, the handler accepts executable PHP files alongside legitimate document and image formats.

Because WordPress assigns the subscriber role to any user who self-registers when open registration is enabled, the barrier to exploitation is minimal. An attacker authenticates with low-privilege credentials and submits a crafted multipart request to the upload endpoint. The uploaded file is written to a web-accessible directory under wp-content, where it can be executed by requesting its URL directly.

Root Cause

The root cause is missing or improper validation of uploaded file types within doccure_temp_file_uploader. The function does not invoke WordPress core helpers such as wp_check_filetype_and_ext() against a restricted allowlist, nor does it strip dangerous extensions before persisting files to disk. Client-supplied filename and MIME values are trusted, which violates the secure-upload guidance documented in CWE-434.

Attack Vector

The vulnerability is exploitable remotely over the network. An attacker registers a low-privilege account, authenticates, and issues an HTTP POST request to the AJAX action backing doccure_temp_file_uploader with a PHP payload disguised through filename or MIME manipulation. After upload, the attacker requests the resulting file URL to trigger PHP execution under the web server's identity. See the Wordfence Vulnerability Report for additional technical context.

Detection Methods for CVE-2025-9112

Indicators of Compromise

  • New PHP, .phtml, or .phar files appearing under wp-content/uploads/ or Doccure-specific temporary upload directories
  • HTTP POST requests to admin-ajax.php referencing the doccure_temp_file_uploader action from subscriber accounts
  • Unexpected outbound network connections originating from the PHP-FPM or web server process after a file upload event
  • Newly registered subscriber accounts immediately followed by file upload activity

Detection Strategies

  • Inspect web server access logs for POST requests to admin-ajax.php containing the doccure_temp_file_uploader action parameter
  • Alert on creation of files with executable extensions inside upload directories using file integrity monitoring
  • Correlate WordPress user registration events with subsequent file upload AJAX calls from the same session

Monitoring Recommendations

  • Enable WordPress audit logging to capture user registration, role assignments, and AJAX action invocations
  • Monitor PHP execution within wp-content/uploads/ paths, which should not normally contain executable scripts
  • Review egress traffic from the web tier for connections to attacker-controlled command-and-control infrastructure

How to Mitigate CVE-2025-9112

Immediate Actions Required

  • Update the Doccure theme to a version newer than 1.5.0 once the vendor publishes a patched release
  • Disable open user registration in WordPress settings if subscriber self-service is not required
  • Audit the wp-content/uploads/ directory for unauthorized PHP files and remove any unknown artifacts
  • Rotate administrator credentials and review all user accounts for unexpected privilege escalations

Patch Information

At the time of publication, no fixed version is referenced in the NVD record. Site operators should monitor the Wordfence advisory and the ThemeForest product page for an updated release addressing doccure_temp_file_uploader.

Workarounds

  • Restrict access to admin-ajax.php for the doccure_temp_file_uploader action using a web application firewall rule
  • Deny PHP execution inside wp-content/uploads/ via web server configuration
  • Temporarily set users_can_register to 0 in WordPress general settings to block subscriber self-registration
bash
# Nginx: block PHP execution within WordPress uploads directory
location ~* /wp-content/uploads/.*\.(php|phtml|phar|php[0-9])$ {
    deny all;
    return 403;
}

# Apache: place in .htaccess inside wp-content/uploads/
<FilesMatch "\.(php|phtml|phar|php[0-9])$">
    Require all denied
</FilesMatch>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.