CVE-2025-4578
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands on WordPress sites using the File Provider plugin. Attackers can potentially read, modify, or delete database content, including sensitive user data. All WordPress installations with File Provider plugin versions up to 1.2.3 are affected.
💻 Affected Systems
- WordPress File Provider plugin
📦 What is this software?
File Provider by Dimdavid
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, privilege escalation, site defacement, or full system takeover if database user has elevated privileges.
Likely Case
Data exfiltration of sensitive information (user credentials, personal data), database manipulation, or denial of service.
If Mitigated
Limited impact if proper input validation and parameterized queries are implemented, though some data exposure may still occur.
🎯 Exploit Status
Exploitation requires sending crafted HTTP requests to vulnerable AJAX endpoints. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.4 or later
Vendor Advisory: https://wpscan.com/vulnerability/3aa76b96-40b7-4bde-a39c-c1aa6f8278fc/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find File Provider plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 1.2.4+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the vulnerable AJAX action handler
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_nopriv_[vulnerable_action]', '[callback_function]');
Web Application Firewall rule
allBlock SQL injection patterns targeting File Provider endpoints
WAF specific - create rule to block requests containing SQL keywords targeting /wp-admin/admin-ajax.php with action parameter related to File Provider
🧯 If You Can't Patch
- Disable or remove the File Provider plugin entirely
- Implement strict network access controls to limit who can reach the WordPress admin-ajax.php endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → File Provider → Version number. If version is 1.2.3 or earlier, system is vulnerable.Check Version:
wp plugin list --name=file-provider --field=version (if WP-CLI installed)Verify Fix Applied:
After update, confirm File Provider plugin version shows 1.2.4 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in WordPress debug logs
- Multiple POST requests to /wp-admin/admin-ajax.php with SQL keywords in parameters
- Unexpected database queries from web server process
Network Indicators:
- HTTP POST requests to admin-ajax.php containing SQL injection payloads
- Unusual database connection patterns from web server
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND (payload CONTAINS "UNION" OR payload CONTAINS "SELECT" OR payload CONTAINS "INSERT" OR payload CONTAINS "DELETE")