CVE-2025-12630 is a vulnerability identified in the Upload.am WordPress plugin versions before 1.0.1. The root cause is a missing authorization (capability) check in the plugin's AJAX request handler, which is responsible for handling certain asynchronous requests from users. This missing check allows users with contributor-level privileges—who normally have limited capabilities—to access and view sensitive site options that should be restricted to higher privilege roles such as administrators. The vulnerability is classified under CWE-862 (Missing Authorization) and results in arbitrary option disclosure, compromising the confidentiality of site configuration data. The CVSS 3.1 base score is 4.9 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring high privileges (PR:H), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), no integrity impact (I:N), and no availability impact (A:N). Exploitation requires authenticated access with contributor privileges but does not require additional user interaction, making it feasible in environments where contributor accounts exist. There are no known exploits in the wild at this time. The vulnerability could be leveraged by attackers to gather sensitive configuration information, potentially facilitating further targeted attacks or privilege escalation. The absence of a patch link suggests that users should update to version 1.0.1 or later once available or apply vendor guidance. The vulnerability was reserved in early November 2025 and published in December 2025 by WPScan.

For European organizations, this vulnerability poses a risk primarily to the confidentiality of WordPress site configurations. Organizations using the Upload.am plugin on their WordPress installations could have sensitive site options exposed to users with contributor-level access, which is often granted to content creators or editors. This exposure could lead to information leakage about site settings, plugin configurations, or other sensitive data that could be used to facilitate further attacks such as privilege escalation, targeted phishing, or site defacement. While the vulnerability does not impact integrity or availability directly, the confidentiality breach can undermine trust and lead to compliance issues under GDPR if personal or sensitive data configurations are exposed. European organizations with active web content management and development teams that assign contributor roles are particularly at risk. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits given the public disclosure. The impact is more pronounced in sectors with high reliance on WordPress for public-facing or internal sites, such as media, education, and government agencies.

1. Immediately update the Upload.am WordPress plugin to version 1.0.1 or later once available to ensure the missing authorization check is implemented. 2. Audit all WordPress user roles and permissions to ensure that contributor accounts are assigned only to trusted users and that their privileges are minimized. 3. Implement strict role-based access control (RBAC) policies to limit the number of users with contributor or higher privileges. 4. Monitor AJAX request logs for unusual access patterns or attempts to access site options by contributor accounts. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized AJAX requests targeting the vulnerable endpoints. 6. Regularly review and harden WordPress security configurations, including disabling unnecessary plugins and limiting plugin installations to trusted sources. 7. Educate site administrators and content contributors about the risks of privilege misuse and encourage reporting of suspicious activity. 8. Consider implementing multi-factor authentication (MFA) for all privileged accounts to reduce the risk of compromised credentials being exploited.