Critical Security Alert: WP Dropzone Plugin Vulnerable to Arbitrary File Upload (CVE-2025-12775)

Overview

A high-severity vulnerability, identified as CVE-2025-12775, has been discovered in the WP Dropzone plugin for WordPress. This vulnerability allows authenticated users, with subscriber-level access and above, to upload arbitrary files to the affected server, potentially leading to remote code execution. This affects all versions up to, and including, 1.1.0 of the WP Dropzone plugin. Immediate action is recommended to mitigate this risk.

Technical Details

The vulnerability resides within the ajax_upload_handle function of the WP Dropzone plugin. Specifically, the chunked upload functionality writes files directly to the uploads directory before any file type validation is performed. This allows an attacker to bypass file type restrictions by uploading a malicious file in chunks, ultimately gaining the ability to execute arbitrary code on the server. The problematic code can be found in these files:

• `class-plugin.php` – ajax_upload_handle function
• `class-plugin.php` – Plugin Initialization

The fix involves implementing file validation *before* the file chunks are assembled and written to the server.

CVSS Analysis

This vulnerability has been assigned a CVSS score of 8.8, indicating a HIGH severity. The CVSS vector is likely AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, meaning:

• AV:N (Attack Vector: Network) – The attack can be launched remotely over the network.
• AC:L (Attack Complexity: Low) – The attack requires little to no specialized access conditions or circumstances.
• PR:L (Privileges Required: Low) – The attacker requires only low-level privileges (e.g., a subscriber role).
• UI:N (User Interaction: None) – No user interaction is required for the attack to succeed.
• S:U (Scope: Unchanged) – An exploited vulnerability can only affect resources managed by the same security authority.
• C:H (Confidentiality: High) – There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker.
• I:H (Integrity: High) – There is a total loss of integrity or a complete loss of protection.
• A:H (Availability: High) – There is a total loss of availability, resulting in the attacker being able to disrupt total loss of access to all or nearly all resources within the impacted component.

Possible Impact

Successful exploitation of this vulnerability could have severe consequences, including:

• Remote Code Execution (RCE): Attackers could upload and execute malicious code on the server, gaining complete control over the website.
• Website Defacement: Attackers could modify the website’s content, defacing it or injecting malicious scripts.
• Data Theft: Attackers could access sensitive data stored on the server, such as user credentials, personal information, or financial data.
• Malware Distribution: The compromised website could be used to distribute malware to visitors.

Mitigation and Patch Steps

The most effective mitigation is to immediately update the WP Dropzone plugin to the latest available version. Check the WordPress plugin repository for updates. If an update is not yet available, consider temporarily disabling the plugin until a patched version is released. The changelog referencing the fix can be found here: Plugin Changelog.

While awaiting an update, consider implementing these temporary workarounds (though they are not a replacement for patching):

• Restrict access to WP Dropzone functionalities: If possible, limit the use of the plugin to trusted users only.
• Monitor upload directories: Regularly check the WordPress uploads directory for any suspicious or unexpected files.

References

• CVE ID: CVE-2025-12775
• Wordfence Threat Intelligence: Wordfence Vulnerability Report
• Plugin Code: `class-plugin.php` – ajax_upload_handle function
• Plugin Code: `class-plugin.php` – Plugin Initialization
• Changelog: Plugin Changelog