CVE-2025-12775

High

Published: 18 November 2025

Published

18 November 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0026 48.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The WP Dropzone plugin for WordPress is vulnerable to authenticated arbitrary file upload in all versions up to, and including, 1.1.0 via the `ajax_upload_handle` function. This is due to the chunked upload functionality writing files directly to the uploads directory…

before any file type validation occurs. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mandates validation of file uploads prior to writing to disk, addressing the core flaw where chunked uploads bypass type validation in ajax_upload_handle.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and patching of flaws like this arbitrary file upload vulnerability in the WP Dropzone plugin.

SI-9 Information Input Restrictions good match

prevent

Restricts file types, sizes, and characteristics allowable in uploads to the server's uploads directory, preventing arbitrary dangerous files from being accepted.

Security SummaryAI

CVE-2025-12775 is an authenticated arbitrary file upload vulnerability in the WP Dropzone plugin for WordPress, affecting all versions up to and including 1.1.0. The flaw resides in the `ajax_upload_handle` function, where the chunked upload functionality writes files directly to the uploads directory before performing any file type validation. Published on 2025-11-18, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-434 (Unrestricted Upload of File with Dangerous Type).

Authenticated attackers with subscriber-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By leveraging the chunked upload mechanism, they can upload arbitrary files to the server's uploads directory, potentially enabling remote code execution on the affected WordPress site.

Advisories and references, including the Wordfence threat intelligence report and WordPress plugin trac entries, highlight the vulnerable code in `includes/class-plugin.php` at lines 88 and 127, along with a specific changeset (3395966) that may indicate remediation efforts. Security practitioners should review these sources for patching guidance and update to a fixed version if available.

Details

CWE(s): CWE-434

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Authenticated arbitrary file upload vulnerability in public-facing WordPress plugin enables exploitation of public-facing application (T1190) and facilitates web shell deployment for RCE (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://plugins.trac.wordpress.org/browser/wp-dropzone/tags/1.1.0/includes/class-plugin.php#L127
security@wordfence.com
https://plugins.trac.wordpress.org/browser/wp-dropzone/tags/1.1.0/includes/class-plugin.php#L88
security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3395966%40wp-dropzone&new=3395966%40wp-dropzone&sfp_email=&sfph_mail=
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/afd7aeb7-2c6f-4b23-b8b1-52fb010e5aac?source=cve
security@wordfence.com