Description
The WPCasa plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.4.1. This is due to insufficient input validation and restriction on the 'api_requests' function. This makes it possible for unauthenticated attackers to call arbitrary functions and execute code.
Published: 2025-09-23
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The WPCasa plugin for WordPress contains a code injection flaw caused by inadequate validation of the parameters processed by the 'api_requests' function. This flaw allows an attacker with no authentication to invoke arbitrary PHP functions and execute code on the server, leading to full control of the compromised WordPress installation.

Affected Systems

WordPress sites running the WPCasa plugin version 1.4.1 or earlier are affected. The vulnerability applies to all releases up to and including 1.4.1, with no further version information provided in the CVE record.

Risk and Exploitability

The CVSS score of 9.8 marks this as a critical issue, while the EPSS score of less than 1% indicates that the likelihood of exploitation is currently low. It is not listed as a known exploited vulnerability in the CISA KEV catalog. The attack vector is inferred to be a publicly accessible API endpoint exposed by the plugin, where unauthenticated users can craft requests that trigger the injection. An attacker would typically send a request to the plugin’s API URL with malicious parameters to execute arbitrary PHP functions.

Generated by OpenCVE AI on April 20, 2026 at 19:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest available WPCasa plugin version that includes a patch for this vulnerability.
  • If a patched version is not yet available, remove or disable the WPCasa plugin and deny unauthenticated access to any related REST API endpoints.
  • Configure a web application firewall or server‑side rule to block or restrict access to the plugin’s REST API paths, ensuring that only authenticated users can reach them.

Generated by OpenCVE AI on April 20, 2026 at 19:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30829 The WPCasa plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.4.1. This is due to insufficient input validation and restriction on the 'api_requests' function. This makes it possible for unauthenticated attackers to call arbitrary functions and execute code.
History

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpsight
Wpsight wpcasa
Vendors & Products Wordpress
Wordpress wordpress
Wpsight
Wpsight wpcasa

Tue, 23 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 04:45:00 +0000

Type Values Removed Values Added
Description The WPCasa plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.4.1. This is due to insufficient input validation and restriction on the 'api_requests' function. This makes it possible for unauthenticated attackers to call arbitrary functions and execute code.
Title WPCasa <= 1.4.1 - Unauthenticated Code Injection
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
Wpsight Wpcasa
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:19:45.258Z

Reserved: 2025-08-21T18:07:39.969Z

Link: CVE-2025-9321

cve-icon Vulnrichment

Updated: 2025-09-23T13:49:03.367Z

cve-icon NVD

Status : Deferred

Published: 2025-09-23T05:15:35.970

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9321

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:30:06Z

Weaknesses