CVE-2025-12674

CVE-2025-12674 is an arbitrary file upload vulnerability in the KiotViet Sync plugin for WordPress, affecting all versions up to and including 1.8.5. The flaw arises from missing file type validation in the create_media() function, allowing attackers to upload arbitrary files to the affected site's server. Classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its high impact on confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges or user interaction required. By uploading malicious files, such as web shells, they can potentially achieve remote code execution on the server hosting the vulnerable WordPress site.

Mitigation details are available in advisories from the Wordfence Threat Intelligence page (https://www.wordfence.com/threat-intel/vulnerabilities/id/7fdd670f-2a71-4c1d-af46-f0fd05352f7e?source=cve) and the plugin's WordPress repository (https://wordpress.org/plugins/kiotvietsync/). Security practitioners should consult these sources for patching guidance, such as updating to a fixed version or temporarily disabling the plugin.