{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12637", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-03T16:32:46.720Z", "datePublished": "2025-11-11T03:30:50.343Z", "dateUpdated": "2026-04-08T17:28:57.722Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:57.722Z"}, "affected": [{"vendor": "koopersmith", "product": "Elastic Theme Editor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.0.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Elastic Theme Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a dynamic code generation feature in the process_theme function in all versions up to, and including, 0.0.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "title": "Elastic Theme Editor <= 0.0.3 - Authenticated (Subscriber+) Arbitrary File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e158a13d-5452-492a-875e-53791e1ff840?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/elastic-theme-editor/trunk/editor/class-elastic-editor.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "timeline": [{"time": "2025-11-10T14:54:54.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-12T15:11:09.016383Z", "id": "CVE-2025-12637", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T20:05:15.227Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12637", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-11-12T15:11:09.016383Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T15:11:10.984Z"}}], "cna": {"title": "Elastic Theme Editor <= 0.0.3 - Authenticated (Subscriber+) Arbitrary File Upload", "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "koopersmith", "product": "Elastic Theme Editor", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "0.0.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-10T14:54:54.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e158a13d-5452-492a-875e-53791e1ff840?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/elastic-theme-editor/trunk/editor/class-elastic-editor.php"}], "descriptions": [{"lang": "en", "value": "The Elastic Theme Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a dynamic code generation feature in the process_theme function in all versions up to, and including, 0.0.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-11T03:30:50.343Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12637", "state": "PUBLISHED", "dateUpdated": "2025-11-12T20:05:15.227Z", "dateReserved": "2025-11-03T16:32:46.720Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-11T03:30:50.343Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Elastic Theme Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a dynamic code generation feature in the process_theme function in all versions up to, and including, 0.0.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "id": "CVE-2025-12637", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-11T04:15:47.893", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/elastic-theme-editor/trunk/editor/class-elastic-editor.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e158a13d-5452-492a-875e-53791e1ff840?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:42:41.560148+00:00", "value": {"mitigation_remediation": ["Upgrade Elastic Theme Editor to the latest release (0.0.4 or later) as soon as it becomes available.", "If upgrading is not possible, disable or remove the process_theme function and limit the plugin to allow uploads only of safe file types.", "Inspect the plugin directory for any unexpected files or code and delete any that appear malicious.", "Restrict Subscriber or higher role assignments to trusted users and employ security plugins to monitor for anomalous upload activity."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution via Arbitrary File Upload"}, "threat_synthesis": {"affected_systems": "WordPress installations using Elastic Theme Editor version 0.0.3 or earlier are affected.", "description_and_impact": "The Elastic Theme Editor WordPress plugin enables authenticated users with Subscriber-level access or higher to upload arbitrary files because of a dynamic code generation flaw in the process_theme function. By uploading malicious scripts or code to the site\u2019s filesystem, an attacker can achieve remote code execution.", "risk_and_exploitability": "The CVSS score of 8.8 signals high severity, but the EPSS score of less than 1% indicates a currently low probability of exploitation. The vulnerability requires authentication, so restricting user roles reduces risk; however, once an attacker attains Subscriber privileges, uploading a PHP shell could compromise the entire site. The issue is not yet listed in the CISA KEV catalog."}}}}, "created": "2025-11-12T12:42:53.799530+00:00", "updated": "2026-04-21T01:45:24.447812+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}