CVE-2025-9762 is a critical OS command injection vulnerability classified under CWE-78, found in the Post By Email plugin for WordPress developed by westi. The vulnerability exists due to improper neutralization of special elements in the save_attachments function, specifically the absence of file type validation when handling email attachments. This flaw allows unauthenticated remote attackers to upload arbitrary files to the web server hosting the vulnerable WordPress site. Since the plugin processes email attachments without verifying their type or content, attackers can upload malicious files such as web shells or scripts that enable remote code execution (RCE). Exploiting this vulnerability requires no privileges or user interaction, making it highly accessible. The CVSS v3.1 base score of 9.8 indicates a critical severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact includes full compromise of the web server, data theft, defacement, or pivoting to internal networks. No patches have been linked yet, and no known exploits are reported in the wild, but the vulnerability's nature and ease of exploitation make it a high priority for remediation. The vulnerability affects all versions of the plugin up to and including 1.0.4b, implying that any site using this plugin version is at risk.

The potential impact of CVE-2025-9762 is severe for organizations worldwide using the Post By Email WordPress plugin. Successful exploitation can lead to remote code execution, enabling attackers to execute arbitrary commands on the affected server. This compromises the confidentiality of sensitive data stored or processed by the website, the integrity of website content and server configurations, and the availability of the web service. Attackers could deploy web shells, malware, or ransomware, leading to data breaches, defacement, service disruption, or lateral movement within corporate networks. Given WordPress's extensive use globally, especially among small to medium enterprises and content-driven sites, the vulnerability poses a significant risk to a broad range of organizations. The lack of authentication or user interaction requirements further increases the threat level, as automated attacks and mass scanning can be used to identify and exploit vulnerable sites rapidly.

1. Immediate mitigation should involve disabling the Post By Email plugin until a secure patch is released. 2. If disabling is not feasible, restrict access to the plugin's functionality by IP whitelisting or firewall rules to limit exposure. 3. Implement web application firewall (WAF) rules to detect and block suspicious file upload attempts targeting the save_attachments function. 4. Monitor web server logs for unusual file uploads or execution attempts, especially files with uncommon extensions or unexpected content. 5. Enforce strict file type validation and sanitization on all uploaded files at the application level once patches are available. 6. Regularly update WordPress and all plugins to the latest versions to incorporate security fixes. 7. Conduct thorough security audits and penetration testing focusing on file upload mechanisms. 8. Backup website data and configurations frequently to enable recovery in case of compromise. 9. Educate site administrators about the risks of using outdated or unmaintained plugins. 10. Follow vendor advisories closely for official patches or updates addressing this vulnerability.