CVE Alert: CVE-2025-12161 - burhandodhy - Smart Auto Upload Images – Import External Images

CVE-2025-12161

HIGHNo exploitation known

The Smart Auto Upload Images plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the auto-image creation functionality in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible.

CVSS v3.1 (8.8)

Vendor

burhandodhy

Product

Smart Auto Upload Images – Import External Images

Versions

* lte 1.2.0

CWE

CWE-434, CWE-434 Unrestricted Upload of File with Dangerous Type

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Published

2025-11-08T03:27:48.931Z

Updated

2025-11-08T03:27:48.931Z

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/86dab8e6-b9fd-45ca-bdd1-8665f3bb75f2?source=cve

https://plugins.trac.wordpress.org/changeset?old_path=%2Fsmart-auto-upload-images%2Ftags%2F1.2.0&old=3388129&new_path=%2Fsmart-auto-upload-images%2Ftags%2F1.2.1&new=3388129&sfp_email=&sfph_mail=

AI Summary Analysis

Risk verdict

High risk: authenticated contributors can upload arbitrary files due to missing validation, potentially enabling remote code execution; patch promptly.

Why this matters

Exploiting this flaw could give an attacker full control of the affected site, allowing data theft, defacement, or malware hosting. In a worst-case scenario, server compromise could pivot to other credentials or internal systems, depending on hosting and server hardening.

Most likely attack path

With Contributor+ access and no interaction required from users, an attacker uploads a crafted file type that bypasses validation during the auto-image creation workflow. If the server treats the upload as executable (for example PHP), code runs under the web server’s privileges, yielding potential full site compromise. The attack relies on an unpatched plugin and an environment where uploads are not properly isolated.

Who is most exposed

WordPress sites using Smart Auto Upload Images <= 1.2.0, especially where contributor accounts exist and hosting grants filesystem write access (common in shared or low-hygiene hosting). These deployments are typical in sites that rely on user-generated content workflows.

Detection ideas

Surges in uploads to the uploads/media directory with executable file extensions (e.g., .php, .phtml).
New or modified PHP files under plugin or wp-content paths following image processing.
Admin or contributor activity logs showing image-upload events outside normal patterns.
Web server error/rewrite logs showing attempts to execute uploaded files.
Antivirus or EDR alerts triggered by suspicious file types or shell commands.

Mitigation and prioritisation

Patch to latest version (update beyond 1.2.0) or remove the vulnerable plugin until fixed.
Enforce least-privilege: restrict contributor payroll, disable write access where unnecessary; apply strict file-type validation server-side.
Enable WAF rules to block execution of non-image uploads and restrict uploads to safe storage paths.
Implement monitoring of uploads, with automatic alerts for non-image or executable content.
Review change-management: verify plugin integrity, test in staging before deploying fixes.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: burhandodhy, CVE, cve-2025-12161, OSINT, smart-auto-upload-images-import-external-images, threatintel