Platform
wordpress
Component
elastic-theme-editor
Fixed in
0.0.4
CVE-2025-12637 describes an arbitrary file access vulnerability discovered in the Elastic Theme Editor plugin for WordPress. This flaw allows authenticated users with Subscriber-level access or higher to upload arbitrary files to the server, potentially leading to remote code execution. The vulnerability impacts versions 0.0.0 through 0.0.3 of the plugin. A fix is expected to be released by the plugin developer.
The primary impact of CVE-2025-12637 is the ability for an authenticated attacker to upload arbitrary files to the WordPress server. This is a significant security risk because uploaded files could contain malicious code, such as web shells or backdoors. Successful exploitation could grant the attacker complete control over the affected WordPress site, allowing them to modify content, steal sensitive data, or even use the server as a launchpad for further attacks. The dynamic code generation flaw in the process_theme function is the root cause, enabling this unauthorized file upload capability.
This vulnerability is currently considered to have a medium exploitation probability. Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation once a suitable exploit is developed. The vulnerability was publicly disclosed on 2025-11-11. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.50% (66% percentile)
CISA SSVC
CVSS Vector
The immediate mitigation for CVE-2025-12637 is to upgrade the Elastic Theme Editor plugin to a patched version as soon as it becomes available. Until a patch is released, consider disabling the plugin entirely to prevent exploitation. As a temporary workaround, restrict file upload permissions on the server to prevent unauthorized file uploads. Review and harden WordPress file upload security settings, including file type restrictions and size limits. Monitor WordPress logs for suspicious file upload activity.
Actualice el plugin Elastic Theme Editor a una versión corregida. Verifique el repositorio del plugin o el sitio web del desarrollador para obtener la última versión disponible. Como no se indica una versión corregida, se recomienda contactar al desarrollador para obtener una actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-12637 is a vulnerability in the Elastic Theme Editor WordPress plugin allowing authenticated users to upload arbitrary files, potentially leading to remote code execution. It affects versions 0.0.0–0.0.3 and has a CVSS score of 8.8 (HIGH).
You are affected if your WordPress site uses the Elastic Theme Editor plugin and is running version 0.0.0 through 0.0.3. Check your plugin versions immediately.
Upgrade the Elastic Theme Editor plugin to the latest patched version as soon as it's available. Until then, disable the plugin or restrict file upload permissions.
While no active exploitation has been confirmed, the ease of exploitation suggests it is likely to be targeted. Monitor your WordPress site closely.
Check the Elastic Theme Editor plugin's official website or WordPress plugin repository for security advisories and updates related to CVE-2025-12637.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.