Plateforme
wordpress
Composant
elastic-theme-editor
Corrigé dans
0.0.4
CVE-2025-12637 describes an arbitrary file access vulnerability discovered in the Elastic Theme Editor plugin for WordPress. This flaw allows authenticated users with Subscriber-level access or higher to upload arbitrary files to the server, potentially leading to remote code execution. The vulnerability impacts versions 0.0.0 through 0.0.3 of the plugin. A fix is expected to be released by the plugin developer.
The primary impact of CVE-2025-12637 is the ability for an authenticated attacker to upload arbitrary files to the WordPress server. This is a significant security risk because uploaded files could contain malicious code, such as web shells or backdoors. Successful exploitation could grant the attacker complete control over the affected WordPress site, allowing them to modify content, steal sensitive data, or even use the server as a launchpad for further attacks. The dynamic code generation flaw in the process_theme function is the root cause, enabling this unauthorized file upload capability.
This vulnerability is currently considered to have a medium exploitation probability. Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation once a suitable exploit is developed. The vulnerability was publicly disclosed on 2025-11-11. It is not currently listed on the CISA KEV catalog.
WordPress sites utilizing the Elastic Theme Editor plugin, particularly those with Subscriber-level users or higher, are at risk. Shared hosting environments where users have limited control over server configurations are also particularly vulnerable, as they may be unable to implement granular file upload restrictions.
• wordpress / composer / npm:
wp plugin list | grep Elastic Theme Editor• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
grep -r 'process_theme' /var/www/html/wp-content/plugins/elastic-theme-editor/• generic web: Check WordPress plugin directory for updates and security advisories related to Elastic Theme Editor.
disclosure
Statut de l'Exploit
EPSS
0.50% (percentile 66%)
CISA SSVC
Vecteur CVSS
The immediate mitigation for CVE-2025-12637 is to upgrade the Elastic Theme Editor plugin to a patched version as soon as it becomes available. Until a patch is released, consider disabling the plugin entirely to prevent exploitation. As a temporary workaround, restrict file upload permissions on the server to prevent unauthorized file uploads. Review and harden WordPress file upload security settings, including file type restrictions and size limits. Monitor WordPress logs for suspicious file upload activity.
Actualice el plugin Elastic Theme Editor a una versión corregida. Verifique el repositorio del plugin o el sitio web del desarrollador para obtener la última versión disponible. Como no se indica una versión corregida, se recomienda contactar al desarrollador para obtener una actualización.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-12637 is a vulnerability in the Elastic Theme Editor WordPress plugin allowing authenticated users to upload arbitrary files, potentially leading to remote code execution. It affects versions 0.0.0–0.0.3 and has a CVSS score of 8.8 (HIGH).
You are affected if your WordPress site uses the Elastic Theme Editor plugin and is running version 0.0.0 through 0.0.3. Check your plugin versions immediately.
Upgrade the Elastic Theme Editor plugin to the latest patched version as soon as it's available. Until then, disable the plugin or restrict file upload permissions.
While no active exploitation has been confirmed, the ease of exploitation suggests it is likely to be targeted. Monitor your WordPress site closely.
Check the Elastic Theme Editor plugin's official website or WordPress plugin repository for security advisories and updates related to CVE-2025-12637.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.