प्लेटफ़ॉर्म
wordpress
घटक
bread-butter
में ठीक किया गया
7.11.1375
CVE-2025-12189 describes an Arbitrary File Access vulnerability discovered in the Bread & Butter: AI-Powered Lead Intelligence WordPress plugin. This flaw allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution. The vulnerability affects versions from 0.0.0 up to and including 7.11.1374, and a fix is available in version 8.0.1398.
The primary impact of CVE-2025-12189 is the potential for remote code execution (RCE) on WordPress websites utilizing the vulnerable Bread & Butter plugin. An attacker can exploit this vulnerability by crafting a Cross-Site Request Forgery (CSRF) request to upload a malicious file, such as a PHP shell, to the server. Successful upload and execution of this file grants the attacker control over the web server, enabling them to modify website content, steal sensitive data, or even compromise the entire system. The attack requires tricking a site administrator into clicking a malicious link, highlighting the importance of user awareness and robust security practices.
CVE-2025-12189 was publicly disclosed on 2025-12-05. There are currently no known public proof-of-concept exploits available, but the vulnerability's nature (CSRF leading to file upload) makes it a likely target for exploitation. The EPSS score is pending evaluation, but the potential for RCE suggests a medium to high probability of exploitation if a suitable exploit is developed and disseminated. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Websites running WordPress with the Bread & Butter: AI-Powered Lead Intelligence plugin installed, particularly those with site administrators who are susceptible to social engineering attacks. Shared hosting environments are at increased risk as they often have limited control over plugin updates and security configurations.
• wordpress / composer / npm:
grep -r 'uploadImage\(' /var/www/html/wp-content/plugins/bread-and-butter/src/*• wordpress / composer / npm:
wp plugin list --status=all | grep 'bread-and-butter'• wordpress / composer / npm:
wp plugin update bread-and-butter --version=8.0.1398disclosure
एक्सप्लॉइट स्थिति
EPSS
0.03% (10% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-12189 is to immediately upgrade the Bread & Butter plugin to version 8.0.1398 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting file upload capabilities within the plugin's settings, if available. Additionally, implement strict CSRF protection measures at the WordPress level, ensuring all sensitive actions require proper nonce validation. Regularly review WordPress plugin permissions and restrict access to sensitive functions. After upgrading, confirm the fix by attempting to upload a test file through the plugin's interface and verifying that the upload is denied or properly validated.
संस्करण 8.0.1398 में अपडेट करें, या एक नया पैच किया गया संस्करण
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-12189 is a vulnerability in the Bread & Butter WordPress plugin allowing attackers to upload arbitrary files, potentially leading to remote code execution. It affects versions 0.0.0–7.11.1374.
You are affected if your WordPress site uses the Bread & Butter plugin in versions 0.0.0 through 7.11.1374. Upgrade to 8.0.1398 or later to mitigate the risk.
Upgrade the Bread & Butter plugin to version 8.0.1398 or later. If immediate upgrade isn't possible, implement temporary CSRF protection measures.
While no public exploits are currently known, the vulnerability's nature makes it a likely target for exploitation. Monitor security advisories for updates.
Refer to the Bread & Butter plugin's official website or WordPress plugin repository for the latest security advisory and update information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।