CVE-2025-9212 Overview
CVE-2025-9212 is an arbitrary file upload vulnerability in the WP Dispatcher plugin for WordPress. The flaw exists in the wp_dispatcher_process_upload() function, which fails to validate uploaded file types. All versions up to and including 1.2.0 are affected.
Authenticated attackers with Subscriber-level access or higher can upload arbitrary files to the affected site's server. This may enable remote code execution, though an .htaccess file in the upload directory restricts execution under default configurations. The vulnerability is classified as Unrestricted Upload of File with Dangerous Type [CWE-434].
Critical Impact
Authenticated low-privilege users can upload arbitrary files to WordPress sites running WP Dispatcher 1.2.0 or earlier, potentially leading to remote code execution if .htaccess protections are bypassed or absent.
Affected Products
- WP Dispatcher plugin for WordPress, all versions up to and including 1.2.0
- WordPress sites with Subscriber-level or higher account registration enabled
- WordPress installations where server configuration ignores .htaccess restrictions
Discovery Timeline
- 2025-10-03 - CVE-2025-9212 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-9212
Vulnerability Analysis
The WP Dispatcher plugin exposes an upload handler through the wp_dispatcher_process_upload() function defined in admin/class-wp-dispatcher-add-new-upload.php. The function accepts file submissions from authenticated users without enforcing MIME type checks, extension allowlists, or content inspection.
Because WordPress assigns the Subscriber role to standard registered users on many sites, the attack surface extends to any account holder. Attackers can submit files with executable extensions such as .php, .phtml, or .phar and have them written to the plugin's upload directory.
The plugin ships an .htaccess file in the target directory that restricts script execution on Apache servers. This control reduces but does not eliminate the risk. Servers running Nginx, LiteSpeed, or misconfigured Apache instances that ignore .htaccess directives remain exposed to remote code execution.
Root Cause
The root cause is missing file type validation in the upload processing path. The handler does not call WordPress core functions such as wp_check_filetype_and_ext() or compare submitted extensions against a defined allowlist. Authorization checks permit any authenticated role to invoke the endpoint, compounding the impact.
Attack Vector
The attack requires network access and authenticated session with Subscriber privileges or above. An attacker registers an account on the target site, authenticates, and submits a crafted multipart upload request to the WP Dispatcher upload endpoint. The malicious file is written to disk under a predictable path within wp-content/uploads/. If the web server processes the file as PHP, the attacker achieves code execution in the context of the web server user.
Reference the WordPress File Upload Script and the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2025-9212
Indicators of Compromise
- Files with executable extensions (.php, .phtml, .phar, .pht) present in the WP Dispatcher upload directory under wp-content/uploads/
- Unexpected POST requests from Subscriber-level accounts to the WP Dispatcher upload handler
- New or modified .htaccess files within plugin upload directories indicating tampering
- Outbound network connections originating from the PHP worker process to attacker-controlled infrastructure
Detection Strategies
- Audit WordPress access logs for POST requests targeting WP Dispatcher upload endpoints from non-administrator accounts
- Monitor filesystem activity for write operations placing scripts in upload directories
- Inspect web server process trees for unexpected child processes spawned by php-fpm or httpd
- Compare deployed WP Dispatcher plugin version against the patched release using WP-CLI: wp plugin list --name=wp-dispatcher
Monitoring Recommendations
- Enable file integrity monitoring across wp-content/uploads/ and alert on creation of files with script extensions
- Forward WordPress and web server logs to a centralized SIEM for correlation against authentication events
- Track new user registrations and flag accounts that interact with plugin upload endpoints shortly after registration
- Review outbound DNS and HTTP traffic from web servers for indicators of webshell command-and-control activity
How to Mitigate CVE-2025-9212
Immediate Actions Required
- Disable or uninstall the WP Dispatcher plugin until a patched version is confirmed available and deployed
- Disable open user registration or restrict the default role to a value lower than Subscriber where feasible
- Audit existing files in WP Dispatcher upload directories and remove any unauthorized scripts
- Rotate WordPress administrator credentials and authentication keys if compromise is suspected
Patch Information
At the time of NVD publication, all versions up to and including 1.2.0 are affected. Site operators should monitor the WP Dispatcher plugin repository and the Wordfence Vulnerability Report for an updated release that introduces file type validation in wp_dispatcher_process_upload().
Workarounds
- Verify the .htaccess file in the plugin upload directory is intact and contains directives such as php_flag engine off and denies execution of .php files
- On Nginx or LiteSpeed deployments, add explicit location rules denying execution of PHP files within wp-content/uploads/
- Deploy a Web Application Firewall rule blocking multipart uploads containing PHP script signatures targeting the WP Dispatcher endpoint
- Restrict access to the WordPress admin and AJAX endpoints by IP allowlist where operationally feasible
# Nginx configuration example to block PHP execution in uploads
location ~* /wp-content/uploads/.*\.(php|phtml|phar|pht)$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

