Cyber Posture

CVE-2025-12968

High

Published: 12 December 2025

Published
12 December 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0039 60.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The Infility Global plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in all versions up to, and including, 2.14.42. This is due to the `upload_file` function in the `infility_import_file` class…

more

only validating the MIME type which can be easily spoofed, and the `import_data` function missing capability checks. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of file inputs beyond spoofable MIME types to block arbitrary file uploads with dangerous extensions.

AC-3 Access Enforcement good match
prevent

Enforces capability checks and approved authorizations to prevent subscriber-level users from accessing vulnerable upload and import functions.

SI-2 Flaw Remediation good match
prevent

Mandates timely remediation of known flaws like this arbitrary file upload vulnerability through vendor patches beyond version 2.14.42.

Security SummaryAI

CVE-2025-12968 is an arbitrary file upload vulnerability in the Infility Global plugin for WordPress, affecting all versions up to and including 2.14.42. The issue stems from inadequate file type validation and missing capability checks: the `upload_file` function in the `infility_import_file` class relies solely on spoofable MIME type validation, while the `import_data` function lacks proper access controls. This flaw, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Authenticated attackers with subscriber-level access or higher can exploit this vulnerability remotely without user interaction. By spoofing MIME types and leveraging the unchecked import functions, they can upload arbitrary files to the affected WordPress site's server, potentially enabling remote code execution depending on server configuration and file types allowed.

Mitigation guidance is referenced in advisories including Wordfence threat intelligence (https://www.wordfence.com/threat-intel/vulnerabilities/id/542a18f6-9d17-4e54-85e1-e01630ca371e?source=cve), the Infility Global plugin page (https://wordpress.org/plugins/infility-global/), and WordPress plugin trac changeset 3421596 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3421596%40infility-global&new=3421596%40infility-global&sfp_email=&sfph_mail=), which likely addresses the issue. Security practitioners should update to a patched version beyond 2.14.42 and review access to the plugin's import features.

Details

CWE(s)
CWE-434

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

Arbitrary file upload vulnerability in public-facing WordPress plugin enables exploitation of public-facing application (T1190), privilege escalation from low-priv access to RCE (T1068), and deployment of web shells (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References