Cyber Posture

CVE-2025-12171

High

Published: 01 November 2025

Published
01 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0022 44.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

Security Summary

CVE-2025-12171 affects the RESTful Content Syndication plugin for WordPress in versions 1.1.0 through 1.5.0. The vulnerability stems from missing file type validation in the ingest_image() function, enabling arbitrary file uploads. It is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue was published on 2025-11-01.

Authenticated attackers with Author-level access or higher can exploit this to upload arbitrary files to the affected WordPress site's server, potentially leading to remote code execution. Exploitation requires the attacker to have access to a third-party server defined in the plugin's settings, making it unlikely for contributor-level users but more feasible for administrators who control those settings.

Mitigation details are documented in advisories from the WordPress plugin trac changeset at https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3384901%40restful-syndication&new=3384901%40restful-syndication&sfp_email=&sfph_mail= and Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/99db7ac5-b7ac-4a4f-bd05-e563a3dfb839?source=cve.

Details

CWE(s)
CWE-434

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

Arbitrary file upload vulnerability in public-facing WordPress plugin directly enables exploitation of public-facing application (T1190), facilitates ingress of tools/malware via upload (T1105), and deployment of web shells for RCE/persistence (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References