CVE-2025-12138
Published: 21 November 2025
Description
The URL Image Importer plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.0.6. This is due to the plugin relying on a user-controlled Content-Type HTTP header…
more
to validate file uploads in the 'uimptr_import_image_from_url()' function which writes the file to the server before performing proper validation. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible via the uploaded PHP file.
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the CVE by requiring timely identification, reporting, and patching of the arbitrary file upload flaw in the URL Image Importer plugin.
Mandates validation of information inputs like file uploads at entry points, preventing bypass via spoofed Content-Type headers in the uimptr_import_image_from_url() function.
Deploys malicious code protection at system entry points to scan and eradicate arbitrary PHP files uploaded through the vulnerable plugin function.
Security SummaryAI
CVE-2025-12138 affects the URL Image Importer plugin for WordPress in all versions up to and including 1.0.6. The vulnerability is an arbitrary file upload flaw stemming from insufficient file type validation in the uimptr_import_image_from_url() function. Specifically, the plugin relies on a user-controlled Content-Type HTTP header for validation while writing the uploaded file to the server before performing proper checks, enabling attackers to bypass restrictions.
Authenticated attackers with Author-level access or higher can exploit this vulnerability remotely with low complexity and no user interaction required. By supplying a malicious file with a spoofed Content-Type header, they can upload arbitrary files to the affected WordPress site's server. This may lead to remote code execution if a PHP file is uploaded, as indicated by the CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and association with CWE-434 (Unrestricted Upload of File with Dangerous Type).
References provided include links to vulnerable code locations in the plugin's source file (url-image-importer.php) at lines 1319, 1353, 1358, and 198, as well as changeset 3395852 in the WordPress plugins trac repository, which security practitioners should review for patch details and mitigation guidance.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload vulnerability in a public-facing WordPress plugin enables remote code execution via uploaded PHP files, directly mapping to T1190: Exploit Public-Facing Application.