CVE-2025-12630

Vulnerability

Overview

The Upload.am File Hosting VPN WordPress plugin, versions prior to 1.0.1, contains a missing capability check in one of its AJAX request handlers. This flaw allows any authenticated user with at least Contributor-level access to retrieve arbitrary site options from the WordPress database. The vulnerability was discovered by researcher Beatriz Fresno Naumova and reported via WPScan [1].

Exploitation

Prerequisites

An attacker must have a valid WordPress user account with Contributor privileges or higher. No additional authentication is required beyond the standard session. The vulnerable AJAX endpoint does not verify the user's permissions before returning sensitive configuration data, making it trivial for a low-privileged user to enumerate site options [1].

Impact

By exploiting this vulnerability, an attacker can read arbitrary WordPress options, which may include database credentials, API keys, secret salts, and other sensitive configuration values. This information could be leveraged to further compromise the site or escalate privileges. The CVSS v3 base score is 4.9 (Medium), reflecting the need for authenticated access but the potential for high-value data exposure [1].

Mitigation

The issue is fixed in version 1.0.1 of the plugin. Users are strongly advised to update immediately. No workaround is available for older versions. The vulnerability was publicly disclosed on September 29, 2025, and added to the WPScan database on November 4, 2025 [1].