Smart Auto Upload Images

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

The Smart Auto Upload Images plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the auto-image creation functionality in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

AI Analysis

Arbitrary file upload vulnerability due to missing file type validation in the auto-image creation functionality

Basic Information

ID CVE-2025-12161

Source Wordfence

Published Nov 8, 2025 at 03:27

Affected Product

Vendor burhandodhy

Product Smart Auto Upload Images – Import External Images

Version *

Affected Versions burhandodhy Smart Auto Upload Images – Import External Images *

CWE Classification

CWE-434

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor burhandodhy

Product Smart Auto Upload Images

Version 1.2.0

References

{
    "lastseen": "",
    "description": "The Smart Auto Upload Images plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the auto-image creation functionality in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.",
    "published": "2025-11-08T03:27:48.931Z",
    "modified": "2025-11-08T03:27:48.931Z",
    "type": "cve",
    "title": "Smart Auto Upload Images <= 1.2.0 - Authenticated (Contributor+) Arbitrary File Upload",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/86dab8e6-b9fd-45ca-bdd1-8665f3bb75f2?source=cve\nhttps://plugins.trac.wordpress.org/changeset?old_path=%2Fsmart-auto-upload-images%2Ftags%2F1.2.0&old=3388129&new_path=%2Fsmart-auto-upload-images%2Ftags%2F1.2.1&new=3388129&sfp_email=&sfph_mail=",
    "id": "CVE-2025-12161",
    "bulletinFamily": "",
    "cwe": [
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "burhandodhy Smart Auto Upload Images \u2013 Import External Images *",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Smart Auto Upload Images \u2013 Import External Images",
    "version": "*",
    "vendor": "burhandodhy",
    "ai_description": "Arbitrary file upload vulnerability due to missing file type validation in the auto-image creation functionality",
    "ai_severity": "High",
    "ai_vendor": "burhandodhy",
    "ai_product": "Smart Auto Upload Images",
    "ai_version": "1.2.0",
    "ai_score": 8.8
}

Smart Auto Upload Images <= 1.2.0 - Authenticated (Contributor+) Arbitrary File Upload_CVE-2025-12161