CVE-2025-12161

CVE-2025-12161 is an arbitrary file upload vulnerability in the Smart Auto Upload Images plugin for WordPress, affecting all versions up to and including 1.2.0. The issue stems from missing file type validation in the auto-image creation functionality, enabling attackers to upload arbitrary files to the affected site's server. Published on 2025-11-08, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-434 (Unrestricted Upload of File with Dangerous Type).

Authenticated attackers with Contributor-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows uploading malicious files, which may lead to remote code execution on the server.

Mitigation is available via an update to version 1.2.1, as detailed in the WordPress plugin trac repository changeset comparing tags 1.2.0 and 1.2.1. Further advisory information, including threat intelligence, is provided by Wordfence.