CVE Alert: CVE-2025-9212 - ekndev - WP Dispatcher

CVE-2025-9212

HIGHNo exploitation known

The WP Dispatcher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wp_dispatcher_process_upload() function in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible. The directory does have an .htaccess file which limits the ability to achieve remote code execution.

CVSS v3.1 (7.5)

Vendor

ekndev

Product

WP Dispatcher

Versions

* lte 1.2.0

CWE

CWE-434, CWE-434 Unrestricted Upload of File with Dangerous Type

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Published

2025-10-03T11:17:22.865Z

Updated

2025-10-03T18:25:34.795Z

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/f0b9c46d-72db-43f3-b17b-0747375d45c9?source=cve

https://plugins.trac.wordpress.org/browser/wp-dispatcher/trunk/admin/class-wp-dispatcher-add-new-upload.php#L110

AI Summary Analysis

Risk verdict

High risk of remote code execution on affected sites if unpatched; exploitation requires authentication but could enable arbitrary file uploads leading to server compromise.

Why this matters

Authenticated attackers with Subscriber+ access can push arbitrary files, potentially culminating in remote code execution and full site takeover. The impact includes data exposure, compliance risk and potential disruption of web services, especially on exposed WordPress deployments with vulnerable plugins.

Most likely attack path

An attacker with low-privilege, network access can bypass validation due to the missing file-type checks, uploading a malicious file via the WP Dispatcher upload function. With Scope unchanged and high impact on confidentiality, integrity and availability, a subsequent action (such as triggering PHP execution) could compromise the host without user interaction.

Who is most exposed

Sites running WordPress with WP Dispatcher <= 1.2.0, particularly on shared hosting or where Subscriber-level accounts exist and upload workflows are enabled.

Detection ideas

Unexpected PHP or other executable files appearing in the uploads area linked to the plugin.
Anomalous upload activity from Subscriber+ accounts to the WP Dispatcher endpoints.
Web shell indicators or suspicious filenames in the site’s uploads directory.
Increased 500/401 errors around the plugin’s upload path; unusual access patterns to the upload API.

Mitigation and prioritisation

Upgrade WP Dispatcher to a safe version beyond 1.2.0 or remove the plugin if unused.
If patching is slow, disable the upload feature or the entire plugin; implement a WAF rule to block arbitrary file uploads via the endpoint.
Enforce strict server-side file-type validation and store uploads outside the web root where feasible.
Restrict subscriber-level capabilities around uploads; review and tighten authentication workflows.
Test changes in a staging environment before production rollout; monitor for indicators of exploitation during remediation.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: CVE, cve-2025-9212, ekndev, OSINT, threatintel, wp-dispatcher