CVE-2025-9561
Published: 03 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-9561 is an arbitrary file upload vulnerability in the AP Background plugin for WordPress, affecting versions 3.8.1 through 3.8.2. The issue stems from missing authorization checks and insufficient file validation in the advParallaxBackAdminSaveSlider() handler within the plugin's admin functions. Published on October 3, 2025, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By uploading arbitrary files to the affected WordPress site's server, they can potentially achieve remote code execution, granting high levels of confidentiality, integrity, and availability impact.
Advisories from Wordfence detail the vulnerability in their threat intelligence report, while the plugin's Trac repository shows the affected code in functions.admin.php for version 3.8.2, and the official WordPress plugin page provides access to the AP Background plugin for further review. No specific patch details are outlined in the provided references.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Arbitrary file upload vulnerability in a public-facing WordPress plugin allows authenticated low-privilege attackers to achieve remote code execution, directly mapping to T1190: Exploit Public-Facing Application.