CVE Alert: CVE-2025-9112 – dreamstechnologies – Doccure
CVE-2025-9112
The Doccure theme for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the ‘doccure_temp_file_uploader’ function in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site’s server which may make remote code execution possible.
AI Summary Analysis
Risk verdict
High risk: authenticated users with subscriber-level access can upload arbitrary files in Doccure <=1.4.8, potentially enabling remote code execution.
Why this matters
The flaw enables attackers with legitimate WordPress credentials to plant web shells or other hostile payloads on the host, risking complete site compromise, data leakage, and defacement. With a high CVSS impact on confidentiality, integrity and availability, exploitation could disrupt operations and erode trust, especially on sites handling sensitive data or customer interactions.
Most likely attack path
An attacker authenticates as Subscriber+ and uses the vulnerable uploader to place a malicious file in the uploads area. Because file-type validation is inadequate, a PHP payload can be stored and later executed by the web server, yielding remote code execution. No user interaction is required for exploitation beyond the authenticated session, and privilege remains at the initial scope of the WordPress site, so lateral movement depends on server permissions and existing web app credentials.
Who is most exposed
WordPress sites using the Doccure theme (versions ≤1.4.8) on shared or managed hosting where PHP execution is permitted and user accounts may be weakly protected are most at risk. Environments with numerous subscriber accounts or weaker MFA are especially vulnerable.
Detection ideas
- Unusual PHP files appearing in wp-content/uploads or doccure-related temp directories.
- Upload attempts that bypass MIME-type checks or create suspicious file names.
- Web server logs showing repeated file uploads to the uploader endpoint from authenticated sessions.
- New web shells or PHP files with risky shebangs accessed from the site.
- Sudden increases in authenticated file-upload activity.
Mitigation and prioritisation
- Patch to a patched Doccure version or apply vendor fix; verify WordPress/theme compatibility.
- Disable or strictly validate uploads of PHP/ASP/Shell-like extensions; enforce strict MIME checks.
- Implement a WAF rule set to block dangerous file uploads and restrict execution in uploads directories.
- Enforce stronger authentication (MFA), rotate credentials, and review subscriber-level accounts for anomalies.
- Change-management: proceed with patching promptly; monitor for signs of exploitation. If KEV or EPSS signals are provided indicating active exploitation, treat as priority 1.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.

![[SINOBI] - Ransomware Victim: McDonald Building 1 image](https://www.redpacketsecurity.com/wp-content/uploads/2024/09/image-300x300.png) 
                       
                       
                       
                       
