{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9321", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-21T18:07:39.969Z", "datePublished": "2025-09-23T04:26:13.615Z", "dateUpdated": "2026-04-08T17:19:45.258Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:19:45.258Z"}, "affected": [{"vendor": "wpsight", "product": "WPCasa", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WPCasa plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.4.1. This is due to insufficient input validation and restriction on the 'api_requests' function. This makes it possible for unauthenticated attackers to call arbitrary functions and execute code."}], "title": "WPCasa <= 1.4.1 - Unauthenticated Code Injection", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c1001b2b-395a-44ee-827e-6e57f7a50218?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpcasa/trunk/includes/class-wpsight-api.php#L48"}, {"url": "https://plugins.trac.wordpress.org/changeset/3365172/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "timeline": [{"time": "2025-09-22T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-23T13:48:52.960948Z", "id": "CVE-2025-9321", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-23T13:49:09.210Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-9321", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-21T18:07:39.969Z", "datePublished": "2025-09-23T04:26:13.615Z", "dateUpdated": "2025-09-23T13:49:09.210Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-09-23T04:26:13.615Z"}, "affected": [{"vendor": "wpsight", "product": "WPCasa", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "1.4.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WPCasa plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.4.1. This is due to insufficient input validation and restriction on the 'api_requests' function. This makes it possible for unauthenticated attackers to call arbitrary functions and execute code."}], "title": "WPCasa <= 1.4.1 - Unauthenticated Code Injection", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c1001b2b-395a-44ee-827e-6e57f7a50218?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpcasa/trunk/includes/class-wpsight-api.php#L48"}, {"url": "https://plugins.trac.wordpress.org/changeset/3365172/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "timeline": [{"time": "2025-09-22T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9321", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-09-23T13:48:52.960948Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-23T13:49:03.367Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WPCasa plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.4.1. This is due to insufficient input validation and restriction on the 'api_requests' function. This makes it possible for unauthenticated attackers to call arbitrary functions and execute code."}], "id": "CVE-2025-9321", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-23T05:15:35.970", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpcasa/trunk/includes/class-wpsight-api.php#L48"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3365172/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c1001b2b-395a-44ee-827e-6e57f7a50218?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:29:16.237158+00:00", "value": {"mitigation_remediation": ["Apply the latest available WPCasa plugin version that includes a patch for this vulnerability.", "If a patched version is not yet available, remove or disable the WPCasa plugin and deny unauthenticated access to any related REST API endpoints.", "Configure a web application firewall or server\u2011side rule to block or restrict access to the plugin\u2019s REST API paths, ensuring that only authenticated users can reach them."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress sites running the WPCasa plugin version 1.4.1 or earlier are affected. The vulnerability applies to all releases up to and including 1.4.1, with no further version information provided in the CVE record.", "description_and_impact": "The WPCasa plugin for WordPress contains a code injection flaw caused by inadequate validation of the parameters processed by the 'api_requests' function. This flaw allows an attacker with no authentication to invoke arbitrary PHP functions and execute code on the server, leading to full control of the compromised WordPress installation.", "risk_and_exploitability": "The CVSS score of 9.8 marks this as a critical issue, while the EPSS score of less than 1% indicates that the likelihood of exploitation is currently low. It is not listed as a known exploited vulnerability in the CISA KEV catalog. The attack vector is inferred to be a publicly accessible API endpoint exposed by the plugin, where unauthenticated users can craft requests that trigger the injection. An attacker would typically send a request to the plugin\u2019s API URL with malicious parameters to execute arbitrary PHP functions."}}}}, "created": "2025-09-23T16:03:24.768062+00:00", "updated": "2026-04-20T19:30:06.171674+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpsight", "wpsight$PRODUCT$wpcasa"]}