{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12154", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-24T13:06:55.464Z", "datePublished": "2025-12-05T05:31:29.082Z", "dateUpdated": "2026-04-08T17:26:39.736Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:26:39.736Z"}, "affected": [{"vendor": "moderntribe", "product": "Auto Thumbnailer", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Auto Thumbnailer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadThumb() function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "title": "Auto Thumbnailer <= 1.0 - Authenticated (Contributor+) Arbitrary File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d7c98191-bf17-4e94-88cc-ad385b1fe97d?source=cve"}, {"url": "https://wordpress.org/plugins/auto-thumbnailer/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "timeline": [{"time": "2025-12-04T17:20:29.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-05T13:55:26.700000Z", "id": "CVE-2025-12154", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T13:59:47.657Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12154", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-05T13:55:26.700000Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T13:58:41.900Z"}}], "cna": {"title": "Auto Thumbnailer <= 1.0 - Authenticated (Contributor+) Arbitrary File Upload", "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "moderntribe", "product": "Auto Thumbnailer", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-04T17:20:29.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d7c98191-bf17-4e94-88cc-ad385b1fe97d?source=cve"}, {"url": "https://wordpress.org/plugins/auto-thumbnailer/"}], "descriptions": [{"lang": "en", "value": "The Auto Thumbnailer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadThumb() function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:26:39.736Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12154", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:26:39.736Z", "dateReserved": "2025-10-24T13:06:55.464Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-05T05:31:29.082Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Auto Thumbnailer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadThumb() function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}, {"lang": "es", "value": "El plugin Auto Thumbnailer para WordPress es vulnerable a cargas de archivos arbitrarios debido a la falta de validaci\u00f3n del tipo de archivo en la funci\u00f3n uploadThumb() en todas las versiones hasta la 1.0, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, carguen archivos arbitrarios en el servidor del sitio afectado, lo que puede hacer posible la ejecuci\u00f3n remota de c\u00f3digo."}], "id": "CVE-2025-12154", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-05T06:16:05.877", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/auto-thumbnailer/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d7c98191-bf17-4e94-88cc-ad385b1fe97d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:06:38.917071+00:00", "value": {"mitigation_remediation": ["Upgrade Auto Thumbnailer to a version newer than 1.0 as released by the vendor. ", "If an upgrade is not immediately possible, disable or delete the Auto Thumbnailer plugin to eliminate the upload route. ", "Configure WordPress to reject non-standard file extensions on uploads and set the target directory to be non-executable, ensuring that any uploaded files cannot be executed by the web server."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution via Arbitrary File Upload"}, "threat_synthesis": {"affected_systems": "ModernTribe\u2019s Auto Thumbnailer plugin running on WordPress sites. All releases up to and including version 1.0 are affected; no later release information is provided in the advisory.", "description_and_impact": "The Auto Thumbnailer plugin for WordPress allows authenticated attackers with Contributor level access or higher to upload arbitrary files to the site\u2019s server because the uploadThumb() function performs no file type validation. If an attacker uploads a malicious script, remote code execution may be achieved, leading to full compromise of the affected WordPress installation.", "risk_and_exploitability": "The CVSS score of 8.8 classifies this flaw as a high severity vulnerability, and the EPSS score of less than 1% indicates a low probability of active exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated and have Contributor or higher privileges to exploit the flaw. The lack of file type restrictions enables uploading of potentially executable files, which can then be accessed to run arbitrary code on the server. No mitigations beyond a patch are documented, so the risk remains until a proper fix is applied."}}}}, "created": "2025-12-05T10:51:53.082770+00:00", "updated": "2026-04-21T01:15:20.126161+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}