CVE-2025-12682

CVE-2025-12682 affects the Easy Upload Files During Checkout plugin for WordPress in all versions up to and including 2.9.8. The vulnerability stems from missing file type validation in the 'file_during_checkout' function, enabling arbitrary JavaScript file uploads. This flaw, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact exploitation.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By uploading arbitrary JavaScript files to the affected site's server during the checkout process, attackers may achieve remote code execution, compromising confidentiality, integrity, and availability of the targeted WordPress installation.

Mitigation details are available in advisories from Wordfence and the WordPress plugin trac repository. The trac changeset 3384711 documents the patch implementation, while the Wordfence threat intelligence page provides further vulnerability analysis and recommendations for affected users. Security practitioners should update to a patched version beyond 2.9.8 and review server configurations for uploaded file handling.