KiotViet Sync

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The KiotViet Sync plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the create_media() function in all versions up to, and including, 1.8.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

AI Analysis

Unauthenticated arbitrary file upload vulnerability in KiotViet Sync plugin for WordPress due to missing file type validation

Basic Information

ID CVE-2025-12674

Source Wordfence

Published Nov 5, 2025 at 07:27

Affected Product

Vendor mykiot

Product KiotViet Sync

Version *

Affected Versions mykiot KiotViet Sync *

CWE Classification

CWE-434

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor mykiot

Product KiotViet Sync

Version 1.8.5

References

{
    "lastseen": "",
    "description": "The KiotViet Sync plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the create_media() function in all versions up to, and including, 1.8.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.",
    "published": "2025-11-05T07:27:56.065Z",
    "modified": "2025-11-05T07:27:56.065Z",
    "type": "cve",
    "title": "KiotViet Sync <= 1.8.5 - Unauthenticated Arbitrary File Upload",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7fdd670f-2a71-4c1d-af46-f0fd05352f7e?source=cve\nhttps://wordpress.org/plugins/kiotvietsync/",
    "id": "CVE-2025-12674",
    "bulletinFamily": "",
    "cwe": [
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "mykiot KiotViet Sync *",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "KiotViet Sync",
    "version": "*",
    "vendor": "mykiot",
    "ai_description": "Unauthenticated arbitrary file upload vulnerability in KiotViet Sync plugin for WordPress due to missing file type validation",
    "ai_severity": "Critical",
    "ai_vendor": "mykiot",
    "ai_product": "KiotViet Sync",
    "ai_version": "1.8.5",
    "ai_score": 9.8
}

KiotViet Sync <= 1.8.5 - Unauthenticated Arbitrary File Upload_CVE-2025-12674