CVE Alert: CVE-2025-12399 - alexreservations - Alex Reservations: Smart Restaurant Booking

CVE-2025-12399

HIGHNo exploitation known

The Alex Reservations: Smart Restaurant Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /wp-json/srr/v1/app/upload/file REST endpoint in all versions up to, and including, 2.2.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible.

CVSS v3.1 (7.2)

Vendor

alexreservations

Product

Alex Reservations: Smart Restaurant Booking

Versions

* lte 2.2.3

CWE

CWE-434, CWE-434 Unrestricted Upload of File with Dangerous Type

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Published

2025-11-08T09:28:11.905Z

Updated

2025-11-08T09:28:11.905Z

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/f2d97646-27a8-4302-be70-7b4fb1a12300?source=cve

https://plugins.trac.wordpress.org/browser/alex-reservations/trunk/includes/application/Alexr/Http/Controllers/UploadFileController.php#L11

https://github.com/d0n601/CVE-2025-12399

https://ryankozak.com/posts/cve-2025-12399/

https://plugins.trac.wordpress.org/changeset/3390614/

AI Summary Analysis

Risk verdict

High risk of authenticated admin-level arbitrary file upload enabling potential remote code execution; remediation should be prioritised.

Why this matters

If an administrator can upload arbitrary files, attackers could place web shells or other malicious payloads on the server, leading to full site compromise, data exposure, or defacement. Real-world impact includes credential theft, lateral movement to connected systems, and disruption of guest-facing booking services.

Most likely attack path

An attacker with Administrator+ access uses the vulnerable REST endpoint to upload a crafted file without proper type validation. With network access, low complexity, and no user interaction required, they can push a payload that may be executed by the server, assuming upload validation fails. The scope remains unchanged, so the attacker’s actions stay within the current site context.

Who is most exposed

WordPress sites deploying this plugin, especially those with multiple admin accounts or weak credential hygiene, in hospitality or SMB environments where plugin usage is common and admin access is broader.

Detection ideas

Unusual POST requests to /wp-json/srr/v1/app/upload/file from admin sessions.
Upload of non-standard file types or PHP files into the uploads directory.
New or modified PHP/JS files shortly after admin login or role changes.
Admin accounts exhibiting atypical file upload activity.
Web server logs showing repeated upload attempts targeting the endpoint.

Mitigation and prioritisation

Apply patch to 2.2.4+ or remove/disable the upload functionality if patching isn’t feasible.
Harden with least-privilege admin accounts; enforce MFA for all admins.
Implement input validation or WAF rules to restrict file types and sizes; validate MIME types server-side.
Monitor and rotate admin credentials; audit admin activity and file changes.
Schedule patch during the next maintenance window; verify no unintended side effects post-deployment.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: alex-reservations-smart-restaurant-booking, alexreservations, CVE, cve-2025-12399, OSINT, threatintel