CVE-2025-12846
Published: 11 November 2025
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Security Summary
CVE-2025-12846 is an authenticated arbitrary file upload vulnerability affecting the Blocksy Companion plugin for WordPress in all versions up to and including 2.1.19. The issue stems from insufficient file type validation when handling SVG files, which permits double extension files to bypass sanitization while still being accepted as valid SVGs. This flaw is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
Authenticated attackers with author-level access or higher can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By uploading malicious files disguised with double extensions, they can place arbitrary content on the affected WordPress site's server, potentially enabling remote code execution and full server compromise.
Mitigation details are outlined in advisories from Wordfence and a corresponding patch in WordPress plugin trac changeset 3391933, which modifies the SVG handling in the Blocksy Companion framework at trunk/framework/features/svg.php. Security practitioners should urge site owners to update the plugin beyond version 2.1.19 and review access controls for author roles.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability allows authenticated arbitrary file upload to a public-facing WordPress application via insufficient SVG validation and double extensions, directly enabling exploitation of public-facing apps (T1190) and deployment of web shells for RCE (T1100).