Arbitrary File Upload Vulnerability in KiotViet Sync Plugin for WordPress
CVE-2025-12674

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Kiotviet Sync
Vendor: CVE Published:; 5 November 2025

What is CVE-2025-12674?

The KiotViet Sync plugin for WordPress is susceptible to an arbitrary file upload vulnerability due to inadequate file type validation within the create_media() function. This flaw allows unauthenticated attackers to upload potentially malicious files to the server, which can lead to further exploitation, including remote code execution. All versions up to and including 1.8.5 are affected, making it essential for users to apply security patches and implement best practices for plugin management.

Affected Version(s)

KiotViet Sync * <= 1.8.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/kiotvietsync/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 5, 2025
Vulnerability Reserved
Nov 3, 2025

Credit

Kenneth Dunn

JSON