CVE-2025-9212 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting the WP Dispatcher plugin for WordPress, developed by ekndev. The vulnerability arises from the wp_dispatcher_process_upload() function, which lacks proper validation of uploaded file types. This flaw allows authenticated users with minimal privileges (Subscriber-level and above) to upload arbitrary files to the server hosting the WordPress site. While the plugin’s upload directory includes an .htaccess file designed to restrict execution of uploaded files, this protection may not be sufficient to fully prevent remote code execution (RCE), especially if the attacker can bypass or misconfigure the .htaccess rules. The vulnerability is present in all versions up to and including 1.2.0, with no patch currently available as per the provided data. The CVSS 3.1 base score is 7.5, indicating a high severity, with the vector reflecting network attack vector, high attack complexity, low privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. The vulnerability was reserved in August 2025 and published in October 2025. No known exploits have been reported in the wild yet, but the potential for exploitation remains significant given the nature of WordPress sites and the ease of authentication for subscribers in many cases.

The impact of CVE-2025-9212 is substantial for organizations running WordPress sites with the WP Dispatcher plugin installed. Successful exploitation allows attackers to upload arbitrary files, which can lead to remote code execution, enabling full compromise of the affected web server. This compromises confidentiality by exposing sensitive data, integrity by allowing unauthorized modifications, and availability by potentially disrupting services. Since the vulnerability requires only Subscriber-level authentication, attackers can exploit sites with minimal privileges, increasing the attack surface. This is particularly critical for sites that allow user registrations or have weak authentication controls. The presence of an .htaccess file mitigates but does not eliminate the risk, as misconfigurations or alternative attack vectors could still lead to RCE. Organizations could face data breaches, defacement, malware distribution, or use of compromised servers as pivot points for further attacks. The widespread use of WordPress globally amplifies the potential reach and impact of this vulnerability.

1. Immediate mitigation involves restricting or disabling the WP Dispatcher plugin until a secure patch is released. 2. Implement strict file upload validation at the web application firewall (WAF) or reverse proxy level to block dangerous file types before reaching the plugin. 3. Harden the .htaccess configuration to explicitly deny execution of all file types except those strictly necessary, and consider moving upload directories outside the web root if possible. 4. Enforce strong authentication and limit Subscriber-level user registrations to trusted users only. 5. Monitor server logs and file system changes for suspicious upload activity. 6. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect anomalous file uploads or web shell signatures. 7. Regularly audit user permissions and remove unnecessary accounts with upload privileges. 8. Once available, promptly apply official patches from the plugin vendor. 9. Consider using security plugins that provide enhanced file upload scanning and sandboxing. 10. Educate site administrators about the risks of arbitrary file uploads and best practices for plugin management.