CVE-2025-12399 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) found in the Alex Reservations: Smart Restaurant Booking plugin for WordPress. This plugin, widely used for managing restaurant bookings, contains a flaw in its REST API endpoint /wp-json/srr/v1/app/upload/file that fails to validate the type of files being uploaded. As a result, authenticated users with Administrator-level privileges can upload arbitrary files, including potentially malicious scripts, to the server hosting the WordPress site. This lack of file type validation means attackers can upload web shells or other executable code, enabling remote code execution (RCE). The vulnerability affects all versions up to and including 2.2.3. Exploitation requires authentication with high privileges but does not require user interaction beyond that. The CVSS v3.1 score of 7.2 reflects the network attack vector, low attack complexity, high privileges required, and high impact on confidentiality, integrity, and availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. This vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple administrators or weak access controls.

If exploited, this vulnerability can lead to complete compromise of the affected WordPress site. Attackers can upload malicious files such as web shells, enabling them to execute arbitrary code remotely, escalate privileges, and maintain persistent access. This can result in data theft, defacement, service disruption, and use of the compromised server as a pivot point for further attacks within an organization's network. Given the plugin's role in restaurant booking, sensitive customer data including personal and payment information could be exposed, leading to privacy violations and regulatory penalties. The requirement for administrator-level access limits the attack surface but insider threats or compromised admin accounts increase risk. The vulnerability threatens confidentiality, integrity, and availability of the affected systems, potentially causing reputational damage and financial loss to organizations worldwide.

1. Immediately restrict Administrator-level access to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 2. Monitor and audit all file uploads and administrative actions on the WordPress site to detect suspicious activity. 3. Implement web application firewalls (WAF) with rules to detect and block malicious file uploads targeting the vulnerable endpoint. 4. Disable or restrict the vulnerable REST API endpoint (/wp-json/srr/v1/app/upload/file) if possible until a patch is available. 5. Regularly back up website data and files to enable recovery in case of compromise. 6. Stay alert for official patches or updates from the plugin vendor and apply them promptly once released. 7. Conduct security reviews of all installed plugins and remove or replace those no longer maintained or with known vulnerabilities. 8. Use file integrity monitoring tools to detect unauthorized changes to web server files. 9. Educate administrators about the risks of uploading files and the importance of access controls.