Description
The WP Dispatcher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wp_dispatcher_process_upload() function in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The directory does have an .htaccess file which limits the ability to achieve remote code execution.
Published: 2025-10-03
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Upload with possible remote code execution
Action: Patch Immediately
AI Analysis

Impact

WP Dispatcher, a WordPress plugin, allows authenticated users with Subscriber level access or higher to upload files through the wp_dispatcher_process_upload() function. The function lacks file type validation, permitting arbitrary file uploads. An attacker who can authenticate to the site (e.g., a legitimate subscriber) could upload any file, including potentially executable scripts. Although the upload directory contains an .htaccess file that restricts remote execution, a successful upload could still allow an attacker to place a malicious file that the server might inadvertently execute, leading to remote code execution, data exfiltration, or site defacement.

Affected Systems

The vulnerability affects ekndev’s WP Dispatcher plugin for WordPress. All releases up to and including version 1.2.0 are susceptible. The issue exists on any WordPress site that has this plugin installed and grants subscribers the ability to create uploads.

Risk and Exploitability

The CVSS score of 7.5 indicates a high risk when exploited, yet the EPSS score of less than 1% signals a low probability of exploitation at this time, and the CVE is not listed in the CISA KEV catalog. Exploitation requires authenticated access, so the attack vector is an authenticated user with subscriber-level privileges. Once an attacker gains upload capability, they could immediately upload a malicious script and potentially trigger remote code execution, depending on the server configuration. This underscores the importance of timely remediation.

Generated by OpenCVE AI on April 20, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP Dispatcher to the latest released version or remove it if the plugin is no longer required.
  • Disable or restrict the upload feature for subscriber-level users, ensuring that only administrators can upload files.
  • Enforce strict file type validation on the server side, rejecting any uploads that are not explicitly allowed, and verify MIME types before storing them.

Generated by OpenCVE AI on April 20, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-32247 The WP Dispatcher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wp_dispatcher_process_upload() function in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The directory does have an .htaccess file which limits the ability to achieve remote code execution.
History

Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 03 Oct 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Oct 2025 11:30:00 +0000

Type Values Removed Values Added
Description The WP Dispatcher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wp_dispatcher_process_upload() function in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The directory does have an .htaccess file which limits the ability to achieve remote code execution.
Title WP Dispatcher <= 1.2.0 - Authenticated (Subscriber+) Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:32:18.689Z

Reserved: 2025-08-19T19:33:21.414Z

Link: CVE-2025-9212

cve-icon Vulnrichment

Updated: 2025-10-03T18:25:30.492Z

cve-icon NVD

Status : Deferred

Published: 2025-10-03T12:15:47.417

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9212

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:30:06Z

Weaknesses