CVE-2025-12630 – The Upload.am WordPress plugin before version 1... (How to Fix)

Q: What is the severity of CVE-2025-12630?

CVE-2025-12630 has a CVSS score of 4.9 (MEDIUM). The Upload.am WordPress plugin before version 1.0.1 contains an insecure direct object reference vulnerability that allows authenticated users with contributor-level permissions to view sensitive site configuration options. This affects WordPress sites running vulnerable versions of the Upload.am plugin.

📋 TL;DR

The Upload.am WordPress plugin before version 1.0.1 contains an insecure direct object reference vulnerability that allows authenticated users with contributor-level permissions to view sensitive site configuration options. This affects WordPress sites running vulnerable versions of the Upload.am plugin.

💻 Affected Systems

Products:

Upload.am WordPress plugin

Versions: All versions before 1.0.1

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Upload.am plugin enabled and at least contributor-level user accounts.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive configuration data including database credentials, API keys, or admin settings, potentially leading to full site compromise through credential reuse or privilege escalation.

🟠

Likely Case

Contributor-level users could view site options they shouldn't have access to, potentially exposing configuration details that could aid further attacks.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to information disclosure without direct system compromise.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access with at least contributor permissions. The vulnerability is in an AJAX endpoint without proper capability checks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.1

Vendor Advisory: https://wpscan.com/vulnerability/531537f1-5547-4b0f-9e11-3f8a0b2589f5/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Upload.am plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.0.1+ from WordPress repository and replace existing files.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate the Upload.am plugin until patched

wp plugin deactivate upload-am

Restrict user roles

all

Limit contributor-level accounts or implement additional access controls

🧯 If You Can't Patch

Remove contributor-level user accounts or restrict their permissions
Implement web application firewall rules to block access to vulnerable AJAX endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for Upload.am version. If version is below 1.0.1, system is vulnerable.

Check Version:

wp plugin get upload-am --field=version

Verify Fix Applied:

Verify Upload.am plugin version is 1.0.1 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual AJAX requests to upload-am endpoints from contributor-level users
Multiple failed attempts to access admin functions from non-admin accounts

Network Indicators:

HTTP POST requests to /wp-admin/admin-ajax.php with action parameters related to upload-am

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND http_method="POST" AND user_role="contributor" AND action="*upload-am*")

📊 Metadata

CVE ID: CVE-2025-12630

CVSS v3 Score: 4.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

EPSS Score: 0.04% exploit probability (11.5th percentile)

Published: December 2, 2025

Last Updated: December 2, 2025

🔗 References

https://wpscan.com/vulnerability/531537f1-5547-4b0f-9e11-3f8a0b2589f5/

📤 Share & Export

📄 Export Markdown 📋 Export JSON