Overview
A critical security vulnerability, identified as CVE-2025-12153, has been discovered in the Featured Image via URL plugin for WordPress. This vulnerability allows authenticated attackers with Contributor-level access or higher to upload arbitrary files to the affected WordPress server. This could potentially lead to remote code execution (RCE) and full compromise of the website.
All versions of the Featured Image via URL plugin up to and including version 0.1 are affected.
Technical Details
The vulnerability stems from a missing file type validation function within the plugin. When uploading a featured image via URL, the plugin fails to properly verify the file extension or content type of the uploaded file. This allows an attacker to bypass intended security measures and upload malicious files, such as PHP scripts, masquerading as image files. Since Contributor-level access is sufficient to exploit this, a compromised or malicious user account can be used to inject malicious code.
An attacker can leverage this vulnerability to:
- Upload a PHP webshell for remote server administration.
- Modify or inject malicious code into existing WordPress files.
- Deface the website.
- Gain unauthorized access to sensitive data.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-12153 is 8.8, indicating a HIGH severity vulnerability. The CVSS vector string provides further detail:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
This breaks down as:
- AV:N (Network): The vulnerability is exploitable over a network.
- AC:L (Low): The attack complexity is low.
- PR:L (Low): Low privileges are required to exploit this vulnerability (Contributor or higher).
- UI:N (None): No user interaction is required.
- S:U (Unchanged): The vulnerability doesn’t change security scopes
- C:H (High): High impact on confidentiality.
- I:H (High): High impact on integrity.
- A:H (High): High impact on availability.
Possible Impact
The consequences of exploiting this vulnerability can be severe:
- Remote Code Execution (RCE): Attackers can execute arbitrary code on the server, allowing them to gain complete control.
- Data Breach: Sensitive data, including user credentials and customer information, could be compromised.
- Website Defacement: Attackers can modify the website’s content, leading to reputational damage.
- Malware Distribution: The compromised website can be used to distribute malware to visitors.
- Denial of Service (DoS): Attackers can disrupt the website’s availability.
Mitigation and Patch Steps
- Update the Plugin: The most important step is to update the Featured Image via URL plugin to the latest version as soon as a patched version becomes available. Check the WordPress plugin repository for updates.
- Disable the Plugin: If an update is not yet available, temporarily disable the Featured Image via URL plugin to prevent exploitation.
- Web Application Firewall (WAF): Implement a Web Application Firewall (WAF) with rules to block arbitrary file uploads. Consider using a WAF that specializes in WordPress security.
- Review User Roles and Permissions: Carefully review user roles and permissions. Limit Contributor-level access and above to only trusted users.
- Monitor Website Activity: Monitor your website’s logs for suspicious activity, such as unauthorized file uploads or attempts to access sensitive files.
References
- CVE ID: CVE-2025-12153
- WordPress Plugin Page: Featured Image via URL
- Wordfence Threat Intelligence: Wordfence Analysis of CVE-2025-12153
