Login Sign Up

CVE-2025-12331

4.7 MEDIUM

📋 TL;DR

Willow CMS up to version 1.4.0 contains an unrestricted file upload vulnerability in the /admin/images/add endpoint. This allows attackers to upload malicious files to the server, potentially leading to remote code execution. All Willow CMS installations up to version 1.4.0 are affected.

💻 Affected Systems

Products:
  • Willow CMS
Versions: Up to and including 1.4.0
Operating Systems: All platforms running Willow CMS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires admin access to /admin/images/add endpoint.

📦 What is this software?

Willow Cms by Matthewdeaves

View all CVEs affecting Willow Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Webshell deployment allowing persistent access, file system manipulation, and potential privilege escalation.

🟢

If Mitigated

File uploads blocked or sanitized, limiting impact to denial of service or temporary disruption.

🌐 Internet-Facing: HIGH - Remote exploitation is possible and public exploit exists.
🏢 Internal Only: MEDIUM - Requires network access but exploit complexity is medium.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploit requires admin access to the vulnerable endpoint. Public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.1 or later

Vendor Advisory: https://github.com/matthewdeaves/willow/issues/132

Restart Required: No

Instructions:

1. Backup current installation. 2. Download Willow CMS version 1.4.1 or later from official repository. 3. Replace affected files with patched version. 4. Verify functionality.

🔧 Temporary Workarounds

Restrict access to /admin/images/add

all

Block or restrict access to the vulnerable endpoint using web server configuration or firewall rules.

# Apache: <Location /admin/images/add> Require all denied </Location>
# Nginx: location /admin/images/add { deny all; }

Implement file upload validation

all

Add server-side validation to restrict file types, extensions, and content.

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Willow CMS instances
  • Deploy web application firewall with file upload protection rules

🔍 How to Verify

Check if Vulnerable:

Check Willow CMS version in admin panel or configuration files. If version is 1.4.0 or earlier, system is vulnerable.

Check Version:

Check config.php or admin panel for version information

Verify Fix Applied:

Verify version is 1.4.1 or later. Test file upload functionality with malicious files to ensure they are rejected.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to /admin/images/add
  • Large or suspicious files in upload directories
  • Multiple failed upload attempts

Network Indicators:

  • POST requests to /admin/images/add with unusual file types
  • Traffic patterns indicating file upload exploitation

SIEM Query:

source="web_server" AND (uri="/admin/images/add" AND method="POST") AND (file_extension="php" OR file_extension="jsp" OR file_extension="asp")

📊 Metadata

CVE ID: CVE-2025-12331
CVSS v3 Score: 4.7 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-284
EPSS Score: 0.05% exploit probability (16.8th percentile)
Published: October 27, 2025
Last Updated: December 8, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12331, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)