CVE-2025-12138
📋 TL;DR
The URL Image Importer WordPress plugin allows authenticated attackers with Author-level access or higher to upload arbitrary files, including PHP files, due to improper validation of user-controlled Content-Type headers. This vulnerability affects all versions up to 1.0.6 and can lead to remote code execution on vulnerable WordPress sites.
💻 Affected Systems
- WordPress URL Image Importer plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete server compromise, data theft, defacement, or malware distribution.
Likely Case
Unauthorized file upload leading to webshell installation, backdoor persistence, or limited code execution.
If Mitigated
File upload attempts logged and blocked, with no successful exploitation.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.7 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find URL Image Importer plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.0.7+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable plugin
allTemporarily deactivate the vulnerable plugin until patched.
wp plugin deactivate url-image-importer
Restrict file uploads
allUse web application firewall to block suspicious file uploads to plugin endpoints.
🧯 If You Can't Patch
- Remove Author-level access from untrusted users
- Implement file integrity monitoring on upload directories
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin panel under Plugins > Installed Plugins.Check Version:
wp plugin get url-image-importer --field=versionVerify Fix Applied:
Confirm plugin version is 1.0.7 or higher after update.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /wp-content/plugins/url-image-importer/
- POST requests to plugin endpoints with non-image Content-Type headers
- Unauthorized PHP file creation in upload directories
Network Indicators:
- HTTP requests to plugin upload endpoints with malicious file payloads
SIEM Query:
source="wordpress.log" AND ("uimptr_import_image_from_url" OR "url-image-importer") AND ("POST" OR "upload")🔗 References
- https://plugins.trac.wordpress.org/browser/url-image-importer/trunk/url-image-importer.php#L1319
- https://plugins.trac.wordpress.org/browser/url-image-importer/trunk/url-image-importer.php#L1353
- https://plugins.trac.wordpress.org/browser/url-image-importer/trunk/url-image-importer.php#L1358
- https://plugins.trac.wordpress.org/browser/url-image-importer/trunk/url-image-importer.php#L198
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3395852%40url-image-importer&new=3395852%40url-image-importer&sfp_email=&sfph_mail=#file9
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1da18430-1bd0-4f63-9e22-5d26de2be410?source=cve
