The vulnerability identified as CVE-2025-12673 affects the Flex QR Code Generator plugin for WordPress, developed by ajitdas. This plugin, widely used for generating QR codes within WordPress sites, contains a critical security flaw in its update_qr_code() function. Specifically, the plugin fails to validate the type of files being uploaded, which constitutes a CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerability. This lack of validation allows unauthenticated attackers to upload arbitrary files, including potentially malicious scripts, to the web server hosting the WordPress site. Because the vulnerability requires no authentication or user interaction, it is trivially exploitable remotely over the network. Successful exploitation can lead to remote code execution (RCE), enabling attackers to execute arbitrary commands on the server, potentially leading to full site compromise, data theft, defacement, or pivoting to internal networks. The vulnerability affects all versions up to and including 1.2.6 of the plugin. The CVSS v3.1 base score of 9.8 reflects the critical nature of this flaw, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality (C:H), integrity (I:H), and availability (A:H). Although no public exploits have been reported yet, the severity and ease of exploitation make this a significant threat to WordPress sites using this plugin. No official patches were listed at the time of publication, emphasizing the need for immediate mitigation steps.

The impact of CVE-2025-12673 is severe for organizations running WordPress sites with the vulnerable Flex QR Code Generator plugin. An attacker can upload arbitrary files without authentication, potentially leading to remote code execution. This can result in complete compromise of the web server, allowing attackers to steal sensitive data, deface websites, deploy malware, or use the compromised server as a foothold for further attacks within an organization's network. The confidentiality, integrity, and availability of affected systems are all at high risk. For e-commerce, financial, healthcare, and government websites, such a compromise could lead to significant financial losses, regulatory penalties, reputational damage, and operational disruptions. The vulnerability's ease of exploitation and lack of required privileges increase the likelihood of widespread attacks once exploit code becomes available. Organizations with public-facing WordPress sites are particularly vulnerable, especially those that rely on this plugin for QR code generation functionality.

1. Immediate mitigation involves disabling or uninstalling the Flex QR Code Generator plugin until a security patch is released. 2. Monitor web server logs for suspicious file upload attempts or unexpected file types in upload directories. 3. Implement web application firewall (WAF) rules to block or alert on file uploads with dangerous extensions or unexpected content types. 4. Restrict file upload permissions on the server to prevent execution of uploaded files, e.g., by disabling execution in upload directories via web server configuration. 5. Employ strict input validation and sanitization for all file uploads, ensuring only expected file types are accepted. 6. Keep WordPress core, themes, and all plugins updated to the latest versions. 7. Conduct regular security audits and vulnerability scans to detect similar issues proactively. 8. Once available, apply the official patch from the plugin vendor promptly. 9. Consider using alternative QR code generator plugins with a strong security track record if patching is delayed. 10. Educate site administrators about the risks of installing unverified plugins and the importance of timely updates.