CVE-2025-12399 – The Alex Reservations WordPress plugin up to ve... (How to Fix)

Q: What is the severity of CVE-2025-12399?

CVE-2025-12399 has a CVSS score of 7.2 (HIGH). The Alex Reservations WordPress plugin up to version 2.2.3 allows authenticated administrators to upload arbitrary files via a vulnerable REST API endpoint. This can lead to remote code execution on affected WordPress sites. Only sites using this specific plugin are affected.

📋 TL;DR

The Alex Reservations WordPress plugin up to version 2.2.3 allows authenticated administrators to upload arbitrary files via a vulnerable REST API endpoint. This can lead to remote code execution on affected WordPress sites. Only sites using this specific plugin are affected.

💻 Affected Systems

Products:

Alex Reservations: Smart Restaurant Booking WordPress plugin

Versions: All versions up to and including 2.2.3

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin activated. Administrator or higher privileges needed for exploitation.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise via remote code execution, allowing attackers to install backdoors, steal data, or pivot to other systems.

🟠

Likely Case

Attackers with administrator credentials upload web shells to gain persistent access and execute arbitrary commands on the server.

🟢

If Mitigated

If proper file upload validation and least privilege are enforced, impact is limited to file storage abuse without code execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrator credentials. Public proof-of-concept code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.4

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3390614/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Alex Reservations: Smart Restaurant Booking'. 4. Click 'Update Now' if available, or manually update to version 2.2.4+. 5. Verify update completes successfully.

🔧 Temporary Workarounds

Disable vulnerable REST endpoint

all

Remove or restrict access to the /wp-json/srr/v1/app/upload/file endpoint

Add to theme's functions.php or custom plugin: remove_action('rest_api_init', 'register_srr_upload_route');

Web server file upload restrictions

all

Configure web server to block uploads of executable files via the vulnerable endpoint

For Apache: <Location "/wp-json/srr/v1/app/upload/file">
    SetEnvIf Request_URI ".*\.(php|phtml|php3|php4|php5|php7|phps|php-s|pht|phar)" block_upload
    Deny from env=block_upload
</Location>
For Nginx: location ~ ^/wp-json/srr/v1/app/upload/file {
    if ($request_filename ~*\.(php|phtml|php3|php4|php5|php7|phps|php-s|pht|phar)$) {
        return 403;
    }
}

🧯 If You Can't Patch

Temporarily deactivate the Alex Reservations plugin until patched
Implement strict file upload validation at the application level or via WAF

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'Alex Reservations: Smart Restaurant Booking' version 2.2.3 or lower

Check Version:

wp plugin list --name='alex-reservations' --field=version

Verify Fix Applied:

Confirm plugin version is 2.2.4 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

POST requests to /wp-json/srr/v1/app/upload/file with unusual file extensions
File uploads to wp-content/uploads/ with .php, .phtml, or other executable extensions
Administrator account performing unexpected file uploads

Network Indicators:

HTTP POST requests to vulnerable endpoint with file uploads
Subsequent requests to newly uploaded files with executable extensions

SIEM Query:

source="web_access_logs" AND (uri_path="/wp-json/srr/v1/app/upload/file" AND method="POST") AND (user_agent NOT CONTAINS "WordPress" OR file_extension IN ("php", "phtml", "php3", "php4", "php5", "php7", "phps", "php-s", "pht", "phar"))

📊 Metadata

CVE ID: CVE-2025-12399

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

EPSS Score: 0.33% exploit probability (55.6th percentile)

Published: November 8, 2025

Last Updated: November 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12399, you might also want to check these: