CVE-2025-9112 Overview
CVE-2025-9112 is an arbitrary file upload vulnerability in the Doccure medical theme for WordPress. The flaw resides in the doccure_temp_file_uploader function, which performs incorrect file type validation. All versions up to and including 1.5.0 are affected.
Authenticated attackers with subscriber-level access or higher can upload arbitrary files to the affected site's server. Successful exploitation can lead to remote code execution on the underlying web server. The weakness is classified under CWE-434: Unrestricted Upload of File with Dangerous Type.
Critical Impact
Authenticated subscribers can upload malicious PHP files through doccure_temp_file_uploader, enabling remote code execution and full site compromise.
Affected Products
- Doccure WordPress theme versions up to and including 1.5.0
- WordPress installations using the Doccure medical theme with subscriber registration enabled
- Distributed via ThemeForest Doccure Medical WordPress Theme
Discovery Timeline
- 2025-09-08 - CVE-2025-9112 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-9112
Vulnerability Analysis
The Doccure theme exposes the doccure_temp_file_uploader AJAX handler for processing user-submitted files. The function fails to enforce a server-side allowlist of safe MIME types and file extensions. As a result, the handler accepts executable PHP files alongside legitimate document and image formats.
Because WordPress assigns the subscriber role to any user who self-registers when open registration is enabled, the barrier to exploitation is minimal. An attacker authenticates with low-privilege credentials and submits a crafted multipart request to the upload endpoint. The uploaded file is written to a web-accessible directory under wp-content, where it can be executed by requesting its URL directly.
Root Cause
The root cause is missing or improper validation of uploaded file types within doccure_temp_file_uploader. The function does not invoke WordPress core helpers such as wp_check_filetype_and_ext() against a restricted allowlist, nor does it strip dangerous extensions before persisting files to disk. Client-supplied filename and MIME values are trusted, which violates the secure-upload guidance documented in CWE-434.
Attack Vector
The vulnerability is exploitable remotely over the network. An attacker registers a low-privilege account, authenticates, and issues an HTTP POST request to the AJAX action backing doccure_temp_file_uploader with a PHP payload disguised through filename or MIME manipulation. After upload, the attacker requests the resulting file URL to trigger PHP execution under the web server's identity. See the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2025-9112
Indicators of Compromise
- New PHP, .phtml, or .phar files appearing under wp-content/uploads/ or Doccure-specific temporary upload directories
- HTTP POST requests to admin-ajax.php referencing the doccure_temp_file_uploader action from subscriber accounts
- Unexpected outbound network connections originating from the PHP-FPM or web server process after a file upload event
- Newly registered subscriber accounts immediately followed by file upload activity
Detection Strategies
- Inspect web server access logs for POST requests to admin-ajax.php containing the doccure_temp_file_uploader action parameter
- Alert on creation of files with executable extensions inside upload directories using file integrity monitoring
- Correlate WordPress user registration events with subsequent file upload AJAX calls from the same session
Monitoring Recommendations
- Enable WordPress audit logging to capture user registration, role assignments, and AJAX action invocations
- Monitor PHP execution within wp-content/uploads/ paths, which should not normally contain executable scripts
- Review egress traffic from the web tier for connections to attacker-controlled command-and-control infrastructure
How to Mitigate CVE-2025-9112
Immediate Actions Required
- Update the Doccure theme to a version newer than 1.5.0 once the vendor publishes a patched release
- Disable open user registration in WordPress settings if subscriber self-service is not required
- Audit the wp-content/uploads/ directory for unauthorized PHP files and remove any unknown artifacts
- Rotate administrator credentials and review all user accounts for unexpected privilege escalations
Patch Information
At the time of publication, no fixed version is referenced in the NVD record. Site operators should monitor the Wordfence advisory and the ThemeForest product page for an updated release addressing doccure_temp_file_uploader.
Workarounds
- Restrict access to admin-ajax.php for the doccure_temp_file_uploader action using a web application firewall rule
- Deny PHP execution inside wp-content/uploads/ via web server configuration
- Temporarily set users_can_register to 0 in WordPress general settings to block subscriber self-registration
# Nginx: block PHP execution within WordPress uploads directory
location ~* /wp-content/uploads/.*\.(php|phtml|phar|php[0-9])$ {
deny all;
return 403;
}
# Apache: place in .htaccess inside wp-content/uploads/
<FilesMatch "\.(php|phtml|phar|php[0-9])$">
Require all denied
</FilesMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

