Arbitrary File Upload Vulnerability in Smart Auto Upload Images Plugin for WordPress
CVE-2025-12161

8.8HIGH

Key Information:

Vendor: WordPress
Status: Smart Auto Upload Images – Import External Images
Vendor: CVE Published:; 8 November 2025

What is CVE-2025-12161?

The Smart Auto Upload Images plugin for WordPress allows authenticated users with Contributor-level access and above to upload arbitrary files due to inadequate validation of file types in its auto-image creation functionality. This vulnerability affects all versions up to and including 1.2.0, posing a potential risk of remote code execution on the affected server. Website administrators are urged to update to the latest version to mitigate this security risk.

Affected Version(s)

Smart Auto Upload Images – Import External Images * <= 1.2.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?old_path=%2F...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 8, 2025
Vulnerability Reserved
Oct 24, 2025

Credit

Dieu Link

GCSC Vietnam

JSON