Cyber Resilience

CVE-2025-12846

High

Published: 11 November 2025

Published
11 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-12846 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-12846 is an authenticated arbitrary file upload vulnerability affecting the Blocksy Companion plugin for WordPress in all versions up to and including 2.1.19. The issue stems from insufficient file type validation when handling SVG files, which permits double extension files to bypass sanitization while still being accepted as valid SVGs. This flaw is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Authenticated attackers with author-level access or higher can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By uploading malicious files disguised with double extensions, they can place arbitrary content on the affected WordPress site's server, potentially enabling remote code execution and full server compromise.

Mitigation details are outlined in advisories from Wordfence and a corresponding patch in WordPress plugin trac changeset 3391933, which modifies the SVG handling in the Blocksy Companion framework at trunk/framework/features/svg.php. Security practitioners should urge site owners to update the plugin beyond version 2.1.19 and review access controls for author roles.

EU & UK References

Vulnerability details

The Blocksy Companion plugin for WordPress is vulnerable to authenticated arbitrary file upload in all versions up to, and including, 2.1.19. This is due to insufficient file type validation detecting SVG files, allowing double extension files to bypass sanitization while…

more

being accepted as a valid SVG file. This makes it possible for authenticated attackers, with author level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

The vulnerability allows authenticated arbitrary file upload to a public-facing WordPress application via insufficient SVG validation and double extensions, directly enabling exploitation of public-facing apps (T1190) and deployment of web shells for RCE (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434
CVE-2025-21624Shared CWE-434
CVE-2026-35164Shared CWE-434
CVE-2026-2097Shared CWE-434
CVE-2025-12154Shared CWE-434
CVE-2026-42748Shared CWE-434
CVE-2025-32957Shared CWE-434

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely remediation of the known flaw in the Blocksy Companion plugin through patching.

prevent

Enforces robust input validation for file uploads to block arbitrary files disguised with double extensions or invalid SVGs.

prevent

Restricts author-level and equivalent roles from performing file uploads unless essential, reducing the attack surface for authenticated exploitation.

References