{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12399", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-28T14:16:05.581Z", "datePublished": "2025-11-08T09:28:11.905Z", "dateUpdated": "2026-04-08T17:32:42.863Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:32:42.863Z"}, "affected": [{"vendor": "alexreservations", "product": "Alex Reservations: Smart Restaurant Booking", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.2.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Alex Reservations: Smart Restaurant Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /wp-json/srr/v1/app/upload/file REST endpoint in all versions up to, and including, 2.2.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "title": "Alex Reservations: Smart Restaurant Booking <= 2.2.3 - Authenticated (Admin+) Arbitrary File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f2d97646-27a8-4302-be70-7b4fb1a12300?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/alex-reservations/trunk/includes/application/Alexr/Http/Controllers/UploadFileController.php#L11"}, {"url": "https://github.com/d0n601/CVE-2025-12399"}, {"url": "https://ryankozak.com/posts/cve-2025-12399/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3390614/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ryan Kozak"}], "timeline": [{"time": "2025-10-29T18:27:01.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-07T21:13:04.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-10T14:08:03.325477Z", "id": "CVE-2025-12399", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-10T14:13:30.917Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12399", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-11-10T14:08:03.325477Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-10T14:08:04.519Z"}}], "cna": {"title": "Alex Reservations: Smart Restaurant Booking <= 2.2.3 - Authenticated (Admin+) Arbitrary File Upload", "credits": [{"lang": "en", "type": "finder", "value": "Ryan Kozak"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "alexreservations", "product": "Alex Reservations: Smart Restaurant Booking", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.2.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-29T18:27:01.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-07T21:13:04.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f2d97646-27a8-4302-be70-7b4fb1a12300?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/alex-reservations/trunk/includes/application/Alexr/Http/Controllers/UploadFileController.php#L11"}, {"url": "https://github.com/d0n601/CVE-2025-12399"}, {"url": "https://ryankozak.com/posts/cve-2025-12399/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3390614/"}], "descriptions": [{"lang": "en", "value": "The Alex Reservations: Smart Restaurant Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /wp-json/srr/v1/app/upload/file REST endpoint in all versions up to, and including, 2.2.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:32:42.863Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12399", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:32:42.863Z", "dateReserved": "2025-10-28T14:16:05.581Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-08T09:28:11.905Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Alex Reservations: Smart Restaurant Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /wp-json/srr/v1/app/upload/file REST endpoint in all versions up to, and including, 2.2.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "id": "CVE-2025-12399", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-08T10:15:41.383", "references": [{"source": "security@wordfence.com", "url": "https://github.com/d0n601/CVE-2025-12399"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/alex-reservations/trunk/includes/application/Alexr/Http/Controllers/UploadFileController.php#L11"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3390614/"}, {"source": "security@wordfence.com", "url": "https://ryankozak.com/posts/cve-2025-12399/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f2d97646-27a8-4302-be70-7b4fb1a12300?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:45:16.038883+00:00", "value": {"mitigation_remediation": ["Upgrade the Alex Reservations plugin to the newest version that includes the fix for the arbitrary file upload flaw.", "Add a whitelist of allowed file types in the upload logic or enforce server\u2011side MIME type validation so that only safe files can be uploaded.", "Configure the web server to prevent execution of files in the upload directory, or restrict the /wp-json/srr/v1/app/upload/file endpoint to privileged users and ensure those accounts use multi\u2011factor authentication."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All WordPress installations running the Alex Reservations: Smart Restaurant Booking plugin version 2.2.3 or earlier are affected. The issue exists in the plugin\u2019s upload controller and applies to any site that has the plugin installed and active.", "description_and_impact": "The vulnerability is caused by missing file type validation in the upload endpoint of the Alex Reservations plugin. An authenticated attacker with Administrator or higher privilege can call /wp-json/srr/v1/app/upload/file and upload any file. Because the plugin does not check the MIME type or extension, the attacker can place executable code, such as a PHP script, on the server. If the upload directory allows execution, the attacker can run that code, leading to remote compromise of the WordPress site and the underlying server.", "risk_and_exploitability": "The CVSS score of 7.2 indicates high severity, while the EPSS score of less than 1% suggests that exploitation is presently unlikely and it is not listed in the CISA KEV catalog. However, the need for Administrator\u2011level credentials is a significant barrier that can still be breached via credential compromise or insider threat. Once authenticated, an attacker can upload malicious content and potentially execute code, which would compromise confidentiality, integrity, and availability of the site and its data."}}}}, "created": "2025-11-10T09:33:21.883257+00:00", "updated": "2026-04-21T01:45:24.451155+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}