CVE-2025-12968

EPSS 0.5%
Veröffentlicht 12.12.2025 03:20:44
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Infility Global <= 2.14.42 - Authenticated (Subscriber+) Arbitrary File Upload

The Infility Global plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in all versions up to, and including, 2.14.42. This is due to the `upload_file` function in the `infility_import_file` class only validating the MIME type which can be easily spoofed, and the `import_data` function missing capability checks. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Mögliche Gegenmaßnahme

Infility Global: Update to version 2.14.43, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

CNA 1 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerinfility

≫

Produkt Infility Global

Default Statusunaffected

Version <= 2.14.42

Version 0

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Infility Global

Version *-2.14.42

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.5%	0.385

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

https://www.wordfence.com/threat-intel/vulnerabilities/id/542a18f6-9d17-4e54-85e1-e01630ca371e?source=cve

https://wordpress.org/plugins/infility-global/

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3421596%40infility-global&new=3421596%40infility-global&sfp_email=&sfph_mail=

https://www.wordfence.com/threat-intel/vulnerabilities/id/542a18f6-9d17-4e54-85e1-e01630ca371e

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-12968

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-12968

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-12968

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-12968