Skip to main content
CVE Vulnerability Database

CVE-2025-9212: WP Dispatcher Plugin RCE Vulnerability

CVE-2025-9212 is a remote code execution flaw in the WP Dispatcher WordPress plugin that allows authenticated attackers to upload arbitrary files. This article covers the technical details, affected versions, and mitigation steps.

Published:

CVE-2025-9212 Overview

CVE-2025-9212 is an arbitrary file upload vulnerability in the WP Dispatcher plugin for WordPress. The flaw exists in the wp_dispatcher_process_upload() function, which fails to validate uploaded file types. All versions up to and including 1.2.0 are affected.

Authenticated attackers with Subscriber-level access or higher can upload arbitrary files to the affected site's server. This may enable remote code execution, though an .htaccess file in the upload directory restricts execution under default configurations. The vulnerability is classified as Unrestricted Upload of File with Dangerous Type [CWE-434].

Critical Impact

Authenticated low-privilege users can upload arbitrary files to WordPress sites running WP Dispatcher 1.2.0 or earlier, potentially leading to remote code execution if .htaccess protections are bypassed or absent.

Affected Products

  • WP Dispatcher plugin for WordPress, all versions up to and including 1.2.0
  • WordPress sites with Subscriber-level or higher account registration enabled
  • WordPress installations where server configuration ignores .htaccess restrictions

Discovery Timeline

  • 2025-10-03 - CVE-2025-9212 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-9212

Vulnerability Analysis

The WP Dispatcher plugin exposes an upload handler through the wp_dispatcher_process_upload() function defined in admin/class-wp-dispatcher-add-new-upload.php. The function accepts file submissions from authenticated users without enforcing MIME type checks, extension allowlists, or content inspection.

Because WordPress assigns the Subscriber role to standard registered users on many sites, the attack surface extends to any account holder. Attackers can submit files with executable extensions such as .php, .phtml, or .phar and have them written to the plugin's upload directory.

The plugin ships an .htaccess file in the target directory that restricts script execution on Apache servers. This control reduces but does not eliminate the risk. Servers running Nginx, LiteSpeed, or misconfigured Apache instances that ignore .htaccess directives remain exposed to remote code execution.

Root Cause

The root cause is missing file type validation in the upload processing path. The handler does not call WordPress core functions such as wp_check_filetype_and_ext() or compare submitted extensions against a defined allowlist. Authorization checks permit any authenticated role to invoke the endpoint, compounding the impact.

Attack Vector

The attack requires network access and authenticated session with Subscriber privileges or above. An attacker registers an account on the target site, authenticates, and submits a crafted multipart upload request to the WP Dispatcher upload endpoint. The malicious file is written to disk under a predictable path within wp-content/uploads/. If the web server processes the file as PHP, the attacker achieves code execution in the context of the web server user.

Reference the WordPress File Upload Script and the Wordfence Vulnerability Report for additional technical context.

Detection Methods for CVE-2025-9212

Indicators of Compromise

  • Files with executable extensions (.php, .phtml, .phar, .pht) present in the WP Dispatcher upload directory under wp-content/uploads/
  • Unexpected POST requests from Subscriber-level accounts to the WP Dispatcher upload handler
  • New or modified .htaccess files within plugin upload directories indicating tampering
  • Outbound network connections originating from the PHP worker process to attacker-controlled infrastructure

Detection Strategies

  • Audit WordPress access logs for POST requests targeting WP Dispatcher upload endpoints from non-administrator accounts
  • Monitor filesystem activity for write operations placing scripts in upload directories
  • Inspect web server process trees for unexpected child processes spawned by php-fpm or httpd
  • Compare deployed WP Dispatcher plugin version against the patched release using WP-CLI: wp plugin list --name=wp-dispatcher

Monitoring Recommendations

  • Enable file integrity monitoring across wp-content/uploads/ and alert on creation of files with script extensions
  • Forward WordPress and web server logs to a centralized SIEM for correlation against authentication events
  • Track new user registrations and flag accounts that interact with plugin upload endpoints shortly after registration
  • Review outbound DNS and HTTP traffic from web servers for indicators of webshell command-and-control activity

How to Mitigate CVE-2025-9212

Immediate Actions Required

  • Disable or uninstall the WP Dispatcher plugin until a patched version is confirmed available and deployed
  • Disable open user registration or restrict the default role to a value lower than Subscriber where feasible
  • Audit existing files in WP Dispatcher upload directories and remove any unauthorized scripts
  • Rotate WordPress administrator credentials and authentication keys if compromise is suspected

Patch Information

At the time of NVD publication, all versions up to and including 1.2.0 are affected. Site operators should monitor the WP Dispatcher plugin repository and the Wordfence Vulnerability Report for an updated release that introduces file type validation in wp_dispatcher_process_upload().

Workarounds

  • Verify the .htaccess file in the plugin upload directory is intact and contains directives such as php_flag engine off and denies execution of .php files
  • On Nginx or LiteSpeed deployments, add explicit location rules denying execution of PHP files within wp-content/uploads/
  • Deploy a Web Application Firewall rule blocking multipart uploads containing PHP script signatures targeting the WP Dispatcher endpoint
  • Restrict access to the WordPress admin and AJAX endpoints by IP allowlist where operationally feasible
bash
# Nginx configuration example to block PHP execution in uploads
location ~* /wp-content/uploads/.*\.(php|phtml|phar|pht)$ {
    deny all;
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.