CVE Alert: CVE-2025-12637 – koopersmith – Elastic Theme Editor

Risk verdict

High — authenticated attackers with Subscriber+ access could upload arbitrary files and potentially achieve remote code execution.

Why this matters

The flaw enables code execution via arbitrary uploads, risking site takeover, data exposure, and use of the site to host or propagate malware. Exploitation is network-visible and does not require user interaction, increasing failure tolerance for automated attempts.

Most likely attack path

An authenticated Subscriber+ user abuses the plugin’s upload flow to trigger the insecure dynamic code generation, dropping a malicious payload into a web-accessible path. The CVSS indicates network access with low privileges and no UI required, so if the account is compromised, the attacker could execute code with site permissions and pivot to other assets on the server.

Who is most exposed

WordPress sites still running Elastic Theme Editor up to version 0.0.3 on shared or managed hosting, where administrator or contractor accounts may have plugin access and upload rights.

Detection ideas

• New PHP files appear in the theme/editor directory.
• Unusual or large file uploads via the plugin endpoints.
• Web shells or suspicious PHP payloads executed or stored.
• Anomalous authenticated upload activity from Subscriber+ accounts.
• Unexpected PHP execution attempts tied to the plugin paths.

Mitigation and prioritisation

• Patch to 0.0.4+ or remove/disable the plugin; if unavailable, restrict uploads to approved paths and disable dynamic code generation.
• Enforce MFA, least privilege for Subscriber+ accounts, and rotate affected credentials.
• Deploy WAF/IPS rules to block suspicious file upload payloads; monitor with file integrity checks.
• Regular backups and test in a staging environment before applying any fix.
• If EPSS ≥ 0.5 or KEV is active, treat as priority 1.