The Bread & Butter: Gate content & Improve lead conversion in 60 seconds WordPress plugin suffers from a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2025-12189. This vulnerability arises from missing or incorrect nonce validation in the uploadImage() function, which is responsible for handling image uploads within the plugin. Nonces in WordPress are security tokens used to verify that requests originate from legitimate users and not from malicious third parties. The absence or improper validation of these nonces allows an attacker to craft a malicious request that, when executed by an authenticated administrator (e.g., by clicking a link), can upload arbitrary files to the server. This capability can be leveraged to achieve remote code execution (RCE), enabling the attacker to run arbitrary code on the affected server. The vulnerability affects all versions of the plugin up to and including version 7.10.1321. The CVSS 3.1 base score is 4.3, reflecting a medium severity level, with the vector indicating network attack vector, low attack complexity, no privileges required, but requiring user interaction. No known exploits have been reported in the wild as of the publication date. The vulnerability is classified under CWE-352, which corresponds to CSRF, a common web security weakness where unauthorized commands are transmitted from a user that the web application trusts. The lack of nonce validation is a critical oversight in the plugin's security design, especially given its administrative functionality and potential impact on site integrity and security.

If exploited, this vulnerability allows attackers to upload arbitrary files to the web server hosting the WordPress site, potentially leading to remote code execution. This can result in full site compromise, data theft, defacement, or use of the server as a pivot point for further attacks within an organization's network. Since the attack requires tricking an administrator into performing an action, the impact depends on the administrator's susceptibility to social engineering. Organizations relying on this plugin for lead capture and content gating risk unauthorized access and control over their web infrastructure. The compromise of such a plugin can also damage customer trust and lead to regulatory compliance issues if sensitive data is exposed. The medium CVSS score reflects the balance between the severity of potential impact and the exploitation complexity requiring user interaction. However, the ability to achieve remote code execution elevates the risk profile significantly for targeted attacks.

To mitigate this vulnerability, organizations should immediately update the Bread & Butter plugin to a patched version once released by the vendor. In the absence of an official patch, administrators should consider disabling or uninstalling the plugin to eliminate the attack surface. Implementing Web Application Firewall (WAF) rules to detect and block suspicious CSRF attempts targeting the uploadImage() endpoint can provide temporary protection. Administrators should be trained to recognize phishing and social engineering attempts to reduce the risk of being tricked into executing malicious requests. Additionally, enforcing the principle of least privilege by limiting administrative access and using multi-factor authentication can reduce the potential impact. Regular security audits and monitoring for unusual file uploads or changes on the server can help detect exploitation attempts early. Finally, plugin developers should ensure proper nonce validation and adhere to WordPress security best practices in future releases.