CVE-2025-12973 — HIGH (CVSS 7.2) AI Security Vulnerability

CISO Take

If your organization runs WordPress with the S2B AI Assistant plugin, patch immediately to v1.7.9+—this is a trivial-to-exploit file upload vulnerability that gives any Editor-level user a direct path to remote code execution. Review all WordPress editor accounts for compromise and audit recent file uploads in the plugin's storage directory. While the Editor privilege requirement reduces the exposed attack surface, insider threats and account takeover scenarios make this a real operational risk, especially since a public PoC already exists.

Risk Assessment

High risk for WordPress deployments using this plugin. CVSS 7.2 (PR:H) requires Editor credentials, but once obtained—via credential stuffing, phishing, or insider threat—exploitation is trivial (AC:L, no user interaction). Full C:H/I:H/A:H impact means successful exploitation yields complete server compromise. Not in CISA KEV and no confirmed active exploitation at publication date, but a public PoC repository (d0n601/CVE-2025-12973) exists, significantly lowering the operational barrier. Organizations that expose WordPress editor access broadly or share credentials are at elevated risk.

Severity & Risk

CVSS 3.1

7.2 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 26% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR High

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

PATCH

Update S2B AI Assistant plugin to v1.7.9+ immediately via WordPress admin. If patching is not feasible, disable the plugin until updated.
AUDIT

Review all WordPress editor-level accounts—revoke unnecessary privileges and enforce MFA. Audit recent uploads in the plugin's storage path for webshells (.php, .phtml, .php5, .phar).
DETECT

Query web server access logs for POST requests to plugin upload endpoints followed by GET requests to the same paths—this is the webshell execution pattern. Alert on script execution from upload directories.
HARDEN

Implement WAF rules blocking executable file uploads to WordPress plugin directories. Ensure upload directories have no-execute permissions (deny execution via .htaccess or nginx deny block).
ROTATE SECRETS

If compromise is suspected, immediately rotate all API keys on the server—OpenAI, Stripe, database credentials, and any secrets in wp-config.php.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Data Extraction Plugin API AML.T0010.001 - AI Software AML.T0012 - Valid Accounts AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity Art. 9 - Risk Management System

ISO 42001

A.10.5 - AI system use by third parties A.8.2 - AI System Security Controls

NIST AI RMF

GOVERN 1.2 - Roles and Responsibilities for AI Risk MANAGE 2.2 - Risk Treatment for AI Systems MANAGE-2.2 - Risk Treatment for AI Risks

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities LLM05 - Supply Chain Vulnerabilities LLM06 - Excessive Agency LLM07 - Insecure Plugin Design

Related AI Incidents (1)

Chevrolet Dealer Chatbot Agrees to Sell Tahoe for $1

Dec 2023 General Motors, Chevrolet of Watsonville, ChatGPT medium confidence

Company "ChatGPT" in CVE description; Shared keyword: "chatbot"

AIID #622

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is CVE-2025-12973?

If your organization runs WordPress with the S2B AI Assistant plugin, patch immediately to v1.7.9+—this is a trivial-to-exploit file upload vulnerability that gives any Editor-level user a direct path to remote code execution. Review all WordPress editor accounts for compromise and audit recent file uploads in the plugin's storage directory. While the Editor privilege requirement reduces the exposed attack surface, insider threats and account takeover scenarios make this a real operational risk, especially since a public PoC already exists.

Is CVE-2025-12973 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-12973, increasing the risk of exploitation.

How to fix CVE-2025-12973?

1. PATCH: Update S2B AI Assistant plugin to v1.7.9+ immediately via WordPress admin. If patching is not feasible, disable the plugin until updated. 2. AUDIT: Review all WordPress editor-level accounts—revoke unnecessary privileges and enforce MFA. Audit recent uploads in the plugin's storage path for webshells (.php, .phtml, .php5, .phar). 3. DETECT: Query web server access logs for POST requests to plugin upload endpoints followed by GET requests to the same paths—this is the webshell execution pattern. Alert on script execution from upload directories. 4. HARDEN: Implement WAF rules blocking executable file uploads to WordPress plugin directories. Ensure upload directories have no-execute permissions (deny execution via .htaccess or nginx deny block). 5. ROTATE SECRETS: If compromise is suspected, immediately rotate all API keys on the server—OpenAI, Stripe, database credentials, and any secrets in wp-config.php.

What systems are affected by CVE-2025-12973?

This vulnerability affects the following AI/ML architecture patterns: WordPress AI plugin deployments, LLM API integrations via CMS plugins, Web applications with AI chatbot plugins, OpenAI/ChatGPT API consumer applications, Content management systems with AI content generation.

What is the CVSS score for CVE-2025-12973?

CVE-2025-12973 has a CVSS v3.1 base score of 7.2 (HIGH). The EPSS exploitation probability is 0.09%.

Technical Details

NVD Description

The S2B AI Assistant – ChatBot, ChatGPT, OpenAI, Content & Image Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the storeFile() function in all versions up to, and including, 1.7.8. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Exploitation Scenario

An adversary targets an organization using the S2B AI Assistant plugin as their customer-facing ChatGPT integration on WordPress. They obtain Editor-level credentials via spearphishing or credential stuffing against the WordPress login portal—a realistic scenario given Editor accounts are often granted to marketing and content teams. Authenticated as an Editor, the adversary calls the plugin's file storage endpoint by submitting a crafted multipart upload request to storeFile(), attaching a PHP webshell with a disguised extension. Since no file type or MIME validation occurs, the webshell is written to the server file system. The adversary directly requests the uploaded file via a browser, achieving arbitrary code execution. From there, they extract the OpenAI API key from plugin configuration, exfiltrate the WordPress database (user PII, chat logs, content), and establish persistent access to the host. If the server is cloud-hosted, they enumerate IAM roles and cloud metadata endpoints for lateral movement.