AI Threat Alert

CVE-2025-12973: AI component: Arbitrary File Upload enables RCE

HIGH PoC AVAILABLE
Published November 21, 2025
CISO Take

If your organization runs WordPress with the S2B AI Assistant plugin, patch immediately to v1.7.9+—this is a trivial-to-exploit file upload vulnerability that gives any Editor-level user a direct path to remote code execution. Review all WordPress editor accounts for compromise and audit recent file uploads in the plugin's storage directory. While the Editor privilege requirement reduces the exposed attack surface, insider threats and account takeover scenarios make this a real operational risk, especially since a public PoC already exists.

What is the risk?

High risk for WordPress deployments using this plugin. CVSS 7.2 (PR:H) requires Editor credentials, but once obtained—via credential stuffing, phishing, or insider threat—exploitation is trivial (AC:L, no user interaction). Full C:H/I:H/A:H impact means successful exploitation yields complete server compromise. Not in CISA KEV and no confirmed active exploitation at publication date, but a public PoC repository (d0n601/CVE-2025-12973) exists, significantly lowering the operational barrier. Organizations that expose WordPress editor access broadly or share credentials are at elevated risk.

How severe is it?

CVSS 3.1
7.2 / 10
EPSS
0.9%
chance of exploitation in 30 days
Higher than 54% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR High
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. PATCH

    Update S2B AI Assistant plugin to v1.7.9+ immediately via WordPress admin. If patching is not feasible, disable the plugin until updated.

  2. AUDIT

    Review all WordPress editor-level accounts—revoke unnecessary privileges and enforce MFA. Audit recent uploads in the plugin's storage path for webshells (.php, .phtml, .php5, .phar).

  3. DETECT

    Query web server access logs for POST requests to plugin upload endpoints followed by GET requests to the same paths—this is the webshell execution pattern. Alert on script execution from upload directories.

  4. HARDEN

    Implement WAF rules blocking executable file uploads to WordPress plugin directories. Ensure upload directories have no-execute permissions (deny execution via .htaccess or nginx deny block).

  5. ROTATE SECRETS

    If compromise is suspected, immediately rotate all API keys on the server—OpenAI, Stripe, database credentials, and any secrets in wp-config.php.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Data Extraction Plugin API AML.T0010.001 AML.T0012 AML.T0040 AML.T0049 AML.T0055 AML.T0072

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, Robustness and Cybersecurity Art. 9 - Risk Management System
ISO 42001
A.10.5 - AI system use by third parties A.8.2 - AI System Security Controls
NIST AI RMF
GOVERN 1.2 - Roles and Responsibilities for AI Risk MANAGE 2.2 - Risk Treatment for AI Systems MANAGE-2.2 - Risk Treatment for AI Risks
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities LLM05 - Supply Chain Vulnerabilities LLM06 - Excessive Agency LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2025-12973?

If your organization runs WordPress with the S2B AI Assistant plugin, patch immediately to v1.7.9+—this is a trivial-to-exploit file upload vulnerability that gives any Editor-level user a direct path to remote code execution. Review all WordPress editor accounts for compromise and audit recent file uploads in the plugin's storage directory. While the Editor privilege requirement reduces the exposed attack surface, insider threats and account takeover scenarios make this a real operational risk, especially since a public PoC already exists.

Is CVE-2025-12973 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-12973, increasing the risk of exploitation.

How to fix CVE-2025-12973?

1. PATCH: Update S2B AI Assistant plugin to v1.7.9+ immediately via WordPress admin. If patching is not feasible, disable the plugin until updated. 2. AUDIT: Review all WordPress editor-level accounts—revoke unnecessary privileges and enforce MFA. Audit recent uploads in the plugin's storage path for webshells (.php, .phtml, .php5, .phar). 3. DETECT: Query web server access logs for POST requests to plugin upload endpoints followed by GET requests to the same paths—this is the webshell execution pattern. Alert on script execution from upload directories. 4. HARDEN: Implement WAF rules blocking executable file uploads to WordPress plugin directories. Ensure upload directories have no-execute permissions (deny execution via .htaccess or nginx deny block). 5. ROTATE SECRETS: If compromise is suspected, immediately rotate all API keys on the server—OpenAI, Stripe, database credentials, and any secrets in wp-config.php.

What systems are affected by CVE-2025-12973?

This vulnerability affects the following AI/ML architecture patterns: WordPress AI plugin deployments, LLM API integrations via CMS plugins, Web applications with AI chatbot plugins, OpenAI/ChatGPT API consumer applications, Content management systems with AI content generation.

What is the CVSS score for CVE-2025-12973?

CVE-2025-12973 has a CVSS v3.1 base score of 7.2 (HIGH). The EPSS exploitation probability is 0.87%.

What is the AI security impact?

Affected AI Architectures

WordPress AI plugin deploymentsLLM API integrations via CMS pluginsWeb applications with AI chatbot pluginsOpenAI/ChatGPT API consumer applicationsContent management systems with AI content generation

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0012 Valid Accounts
AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Art. 15, Art. 9
ISO 42001: A.10.5, A.8.2
NIST AI RMF: GOVERN 1.2, MANAGE 2.2, MANAGE-2.2
OWASP LLM Top 10: LLM03, LLM05, LLM06, LLM07

What are the technical details?

Original Advisory

The S2B AI Assistant – ChatBot, ChatGPT, OpenAI, Content & Image Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the storeFile() function in all versions up to, and including, 1.7.8. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Exploitation Scenario

An adversary targets an organization using the S2B AI Assistant plugin as their customer-facing ChatGPT integration on WordPress. They obtain Editor-level credentials via spearphishing or credential stuffing against the WordPress login portal—a realistic scenario given Editor accounts are often granted to marketing and content teams. Authenticated as an Editor, the adversary calls the plugin's file storage endpoint by submitting a crafted multipart upload request to storeFile(), attaching a PHP webshell with a disguised extension. Since no file type or MIME validation occurs, the webshell is written to the server file system. The adversary directly requests the uploaded file via a browser, achieving arbitrary code execution. From there, they extract the OpenAI API key from plugin configuration, exfiltrate the WordPress database (user PII, chat logs, content), and establish persistent access to the host. If the server is cloud-hosted, they enumerate IAM roles and cloud metadata endpoints for lateral movement.

Weaknesses (CWE)

CWE-434 Unrestricted Upload of File with Dangerous Type

CWE-434 — Unrestricted Upload of File with Dangerous Type: The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

  • [Architecture and Design] Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423]
  • [Architecture and Design] When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
November 21, 2025
Last Modified
April 15, 2026
First Seen
November 21, 2025

Related Vulnerabilities

CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Supply Chain
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Supply Chain
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same attack type: Supply Chain
Back to Threat Feed