{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12153", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-24T13:03:55.950Z", "datePublished": "2025-12-05T05:31:26.455Z", "dateUpdated": "2026-04-08T17:10:15.786Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:10:15.786Z"}, "affected": [{"vendor": "tsaiid", "product": "Featured Image via URL", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Featured Image via URL plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "title": "Featured Image via URL <= 0.1 - Authenticated (Contributor+) Arbitrary FIle Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9687a88f-ac5b-4746-a68c-91c358b5fb87?source=cve"}, {"url": "https://wordpress.org/plugins/featured-image-via-url/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "timeline": [{"time": "2025-12-04T17:21:27.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-05T14:04:58.594578Z", "id": "CVE-2025-12153", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T14:15:14.441Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12153", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-05T14:04:58.594578Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T14:13:35.737Z"}}], "cna": {"title": "Featured Image via URL <= 0.1 - Authenticated (Contributor+) Arbitrary FIle Upload", "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "tsaiid", "product": "Featured Image via URL", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-04T17:21:27.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9687a88f-ac5b-4746-a68c-91c358b5fb87?source=cve"}, {"url": "https://wordpress.org/plugins/featured-image-via-url/"}], "descriptions": [{"lang": "en", "value": "The Featured Image via URL plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-05T05:31:26.455Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12153", "state": "PUBLISHED", "dateUpdated": "2025-12-05T14:15:14.441Z", "dateReserved": "2025-10-24T13:03:55.950Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-05T05:31:26.455Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Featured Image via URL plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "id": "CVE-2025-12153", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-05T06:16:05.707", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/featured-image-via-url/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9687a88f-ac5b-4746-a68c-91c358b5fb87?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T11:40:11.219443+00:00", "value": {"mitigation_remediation": ["Update the Featured Image via URL plugin to the latest release that implements proper file-type validation.", "If an update is not available, either disable or remove the plugin until a fix is released.", "Secure the upload directory by setting restrictive file permissions and configuring a web application firewall to block unexpected file uploads and enforce MIME type checks."], "summary": {"action": "Apply patch", "impact": "Arbitrary file uploads potentially enabling remote code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of the Featured Image via URL WordPress plugin with version 0.1 or older. Any site that has installed this plugin and grants Contributor or higher roles to users is at risk.", "description_and_impact": "The Featured Image via URL plugin for WordPress lacks file-type validation in all releases up to 0.1, allowing an authenticated attacker with Contributor or higher access to upload any file to the server. Uploaded files can be crafted to contain malicious code, which, if placed in an executable location, may lead to remote code execution. The consequence is a compromise of data confidentiality, integrity, and availability on the affected site.", "risk_and_exploitability": "The CVSS score of 8.8 reflects high severity, yet the EPSS score of less than 1% indicates that the exploit probability is currently low, and the issue is not listed in CISA's KEV catalog. The attack vector requires authenticated access; attackers gain upload privileges through the plugin's Contributor or higher capabilities. Because the flaw allows arbitrary file uploads, the risk level warrants immediate attention."}}}}, "created": "2025-12-05T10:52:03.042795+00:00", "updated": "2026-04-22T12:00:05.909634+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}