CVE-2025-12674 is a critical security vulnerability identified in the KiotViet Sync plugin for WordPress, affecting all versions up to 1.8.5. The root cause is the absence of proper file type validation in the create_media() function, which handles media uploads. This CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerability allows unauthenticated attackers to upload arbitrary files, including potentially malicious scripts, to the server hosting the WordPress site. Because the plugin does not restrict or validate the file types being uploaded, attackers can upload executable files such as PHP scripts. Once uploaded, these files can be executed remotely, leading to remote code execution (RCE). This compromises the confidentiality, integrity, and availability of the affected system. The vulnerability requires no authentication or user interaction, making it highly exploitable over the network. The CVSS v3.1 base score is 9.8, reflecting its critical severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. Although no public exploits have been reported yet, the vulnerability's nature and ease of exploitation make it a prime target for attackers. The lack of patch links suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation. Organizations using KiotViet Sync should monitor for updates and consider temporary protective measures such as disabling the plugin or restricting upload capabilities.

The impact of CVE-2025-12674 is severe for organizations using the KiotViet Sync WordPress plugin. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary commands on the web server. This can result in full system compromise, data theft, defacement, installation of backdoors, or use of the server as a pivot point for further attacks within the network. Confidential customer data and business-critical information may be exposed or altered. The availability of the website or service can be disrupted through malicious payloads or server manipulation. Since the vulnerability requires no authentication, any attacker scanning for vulnerable sites can exploit it, increasing the risk of widespread attacks. The lack of known exploits currently in the wild provides a narrow window for organizations to act before attackers develop and deploy exploit code. Given the popularity of WordPress and the plugin’s role in e-commerce synchronization, the threat extends to online retailers and businesses relying on KiotViet Sync for inventory and sales management, potentially causing significant operational and financial damage.

1. Immediately monitor official channels for patches or updates from the KiotViet vendor and apply them as soon as they are released. 2. If no patch is available, consider disabling or uninstalling the KiotViet Sync plugin temporarily to eliminate the attack vector. 3. Implement web application firewall (WAF) rules to block or restrict file upload requests to the plugin’s endpoints, especially those attempting to upload executable file types such as .php, .phtml, .php5, or other script extensions. 4. Restrict file permissions on the upload directories to prevent execution of uploaded files. 5. Employ intrusion detection systems (IDS) and continuous monitoring to detect suspicious upload activity or anomalous file creations. 6. Conduct regular security audits and vulnerability scans focusing on WordPress plugins and their configurations. 7. Educate site administrators about the risks of using outdated plugins and the importance of timely updates. 8. Use plugin alternatives with better security track records if immediate patching is not feasible. 9. Harden the WordPress environment by disabling unnecessary PHP execution in upload directories via .htaccess or server configuration. 10. Maintain regular backups to enable recovery in case of compromise.