CVE-2025-12138: CWE-434 Unrestricted Upload of File with Dangerous Type in bww URL Image Importer
The URL Image Importer plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.0.6. This is due to the plugin relying on a user-controlled Content-Type HTTP header to validate file uploads in the 'uimptr_import_image_from_url()' function which writes the file to the server before performing proper validation. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible via the uploaded PHP file.
AI Analysis
Technical Summary
CVE-2025-12138 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting the bww URL Image Importer plugin for WordPress, specifically versions up to and including 1.0.6. The vulnerability arises because the plugin improperly validates uploaded files by relying on the Content-Type HTTP header, which is user-controllable, to determine file legitimacy. The function 'uimptr_import_image_from_url()' writes the uploaded file to the server before performing robust validation, allowing an authenticated attacker with Author-level or higher privileges to upload arbitrary files, including malicious PHP scripts. This flaw can lead to remote code execution (RCE) on the web server, compromising the confidentiality, integrity, and availability of the affected system. The vulnerability does not require user interaction beyond authentication, and the attack vector is network-based with low complexity. The CVSS v3.1 score of 8.8 reflects the high impact and relatively low attack complexity. Although no public exploits are currently known, the vulnerability's nature and impact make it a critical concern for WordPress sites using this plugin. The lack of available patches at the time of disclosure increases the urgency for mitigation through alternative controls.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for those relying on WordPress sites with the bww URL Image Importer plugin installed. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary commands, deploy malware, steal sensitive data, or disrupt services. This can result in data breaches, defacement, loss of customer trust, regulatory penalties under GDPR, and operational downtime. Organizations in sectors such as finance, healthcare, e-commerce, and government are particularly vulnerable due to the sensitive nature of their data and services. The ease of exploitation by any authenticated user with Author-level access means that insider threats or compromised accounts can be leveraged to escalate attacks. Additionally, the widespread use of WordPress across Europe increases the potential attack surface. The absence of known exploits currently provides a window for proactive defense, but the high CVSS score indicates that the threat could be rapidly weaponized.
Mitigation Recommendations
1. Immediately restrict or disable the bww URL Image Importer plugin until a patched version is released. 2. Limit user roles and permissions strictly, ensuring only trusted users have Author-level or higher access. 3. Implement web application firewalls (WAF) with rules to detect and block suspicious file uploads or PHP file execution in upload directories. 4. Employ additional server-side file validation mechanisms that do not rely solely on HTTP headers, such as MIME type verification and file content inspection. 5. Monitor logs for unusual upload activity or execution of unexpected scripts. 6. Use security plugins that can detect and quarantine malicious files. 7. Regularly update WordPress core, plugins, and themes to incorporate security patches. 8. Consider isolating upload directories with restrictive permissions and disabling execution of scripts in these directories. 9. Educate users about the risks of privilege misuse and enforce strong authentication controls to prevent account compromise.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-12138: CWE-434 Unrestricted Upload of File with Dangerous Type in bww URL Image Importer
Description
The URL Image Importer plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.0.6. This is due to the plugin relying on a user-controlled Content-Type HTTP header to validate file uploads in the 'uimptr_import_image_from_url()' function which writes the file to the server before performing proper validation. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible via the uploaded PHP file.
AI-Powered Analysis
Technical Analysis
CVE-2025-12138 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting the bww URL Image Importer plugin for WordPress, specifically versions up to and including 1.0.6. The vulnerability arises because the plugin improperly validates uploaded files by relying on the Content-Type HTTP header, which is user-controllable, to determine file legitimacy. The function 'uimptr_import_image_from_url()' writes the uploaded file to the server before performing robust validation, allowing an authenticated attacker with Author-level or higher privileges to upload arbitrary files, including malicious PHP scripts. This flaw can lead to remote code execution (RCE) on the web server, compromising the confidentiality, integrity, and availability of the affected system. The vulnerability does not require user interaction beyond authentication, and the attack vector is network-based with low complexity. The CVSS v3.1 score of 8.8 reflects the high impact and relatively low attack complexity. Although no public exploits are currently known, the vulnerability's nature and impact make it a critical concern for WordPress sites using this plugin. The lack of available patches at the time of disclosure increases the urgency for mitigation through alternative controls.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially for those relying on WordPress sites with the bww URL Image Importer plugin installed. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary commands, deploy malware, steal sensitive data, or disrupt services. This can result in data breaches, defacement, loss of customer trust, regulatory penalties under GDPR, and operational downtime. Organizations in sectors such as finance, healthcare, e-commerce, and government are particularly vulnerable due to the sensitive nature of their data and services. The ease of exploitation by any authenticated user with Author-level access means that insider threats or compromised accounts can be leveraged to escalate attacks. Additionally, the widespread use of WordPress across Europe increases the potential attack surface. The absence of known exploits currently provides a window for proactive defense, but the high CVSS score indicates that the threat could be rapidly weaponized.
Mitigation Recommendations
1. Immediately restrict or disable the bww URL Image Importer plugin until a patched version is released. 2. Limit user roles and permissions strictly, ensuring only trusted users have Author-level or higher access. 3. Implement web application firewalls (WAF) with rules to detect and block suspicious file uploads or PHP file execution in upload directories. 4. Employ additional server-side file validation mechanisms that do not rely solely on HTTP headers, such as MIME type verification and file content inspection. 5. Monitor logs for unusual upload activity or execution of unexpected scripts. 6. Use security plugins that can detect and quarantine malicious files. 7. Regularly update WordPress core, plugins, and themes to incorporate security patches. 8. Consider isolating upload directories with restrictive permissions and disabling execution of scripts in these directories. 9. Educate users about the risks of privilege misuse and enforce strong authentication controls to prevent account compromise.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-10-23T21:17:07.350Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6920235bcf2d47c38997b52c
Added to database: 11/21/2025, 8:31:23 AM
Last enriched: 11/21/2025, 8:39:29 AM
Last updated: 11/22/2025, 10:09:26 AM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-13318: CWE-862 Missing Authorization in codepeople Booking Calendar Contact Form
MediumCVE-2025-13136: CWE-862 Missing Authorization in westerndeal GSheetConnector For Ninja Forms
MediumCVE-2025-13384: CWE-862 Missing Authorization in codepeople CP Contact Form with PayPal
HighCVE-2025-13317: CWE-862 Missing Authorization in codepeople Appointment Booking Calendar
MediumCVE-2025-12877: CWE-862 Missing Authorization in themeatelier IDonate – Blood Donation, Request And Donor Management System
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.