Description
The Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.11.1374. This is due to missing or incorrect nonce validation on the uploadImage() function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-12-05
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution through unrestricted file upload
Action: Patch Now
AI Analysis

Impact

This vulnerability originates from an omitted or incorrect nonce check in the uploadImage() routine of the Bread & Butter WordPress plugin. The missing CSRF protection lets an unauthenticated attacker submit a crafted request that uploads any file to the server. If the attacker can trick a site administrator into visiting the forged URL, the uploaded file may be executed as code, enabling full control over the affected system.

Affected Systems

Bread & Butter AI‑Powered Lead Intelligence plugin for WordPress, all versions up to and including 7.11.1374.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk level, and the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in CISA's KEV catalog. The attack vector relies on CSRF: an attacker must lure an administrator to click a malicious link, after which arbitrary file upload and potential remote code execution become possible. Privilege escalation is not required, but the outcome can be fully deterministic if the admin authorizes the request.

Generated by OpenCVE AI on April 21, 2026 at 01:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Bread & Butter plugin update (>=7.11.1375).
  • If the plugin is not essential, uninstall or deactivate it.
  • Implement a web‑application firewall rule to block unauthenticated file uploads to the plugin’s upload endpoint.

Generated by OpenCVE AI on April 21, 2026 at 01:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.10.1321. This is due to missing or incorrect nonce validation on the uploadImage() function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.11.1374. This is due to missing or incorrect nonce validation on the uploadImage() function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents <= 7.10.1321 - Cross-Site Request Forgery to Arbitrary File Upload Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents <= 7.11.1374 - Cross-Site Request Forgery to Arbitrary File Upload
References

Mon, 16 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Breadbutter bread \& Butter
CPEs cpe:2.3:a:breadbutter:bread_and_butter:*:*:*:*:*:wordpress:*:* cpe:2.3:a:breadbutter:bread_\&_butter:*:*:*:*:*:wordpress:*:*
Vendors & Products Breadbutter bread And Butter
Breadbutter bread \& Butter

Wed, 17 Dec 2025 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Breadbutter
Breadbutter bread And Butter
CPEs cpe:2.3:a:breadbutter:bread_and_butter:*:*:*:*:*:wordpress:*:*
Vendors & Products Breadbutter
Breadbutter bread And Butter

Fri, 05 Dec 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 05 Dec 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.10.1321. This is due to missing or incorrect nonce validation on the uploadImage() function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents <= 7.10.1321 - Cross-Site Request Forgery to Arbitrary File Upload
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Breadbutter Bread \& Butter
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:18:24.884Z

Reserved: 2025-10-24T20:00:43.777Z

Link: CVE-2025-12189

cve-icon Vulnrichment

Updated: 2025-12-05T14:05:44.715Z

cve-icon NVD

Status : Modified

Published: 2025-12-05T06:16:06.573

Modified: 2026-04-08T19:23:11.450

Link: CVE-2025-12189

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:15:20Z

Weaknesses