CVE-2025-12846
Published: 11 November 2025
Summary
CVE-2025-12846 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-12846 is an authenticated arbitrary file upload vulnerability affecting the Blocksy Companion plugin for WordPress in all versions up to and including 2.1.19. The issue stems from insufficient file type validation when handling SVG files, which permits double extension files to bypass sanitization while still being accepted as valid SVGs. This flaw is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
Authenticated attackers with author-level access or higher can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By uploading malicious files disguised with double extensions, they can place arbitrary content on the affected WordPress site's server, potentially enabling remote code execution and full server compromise.
Mitigation details are outlined in advisories from Wordfence and a corresponding patch in WordPress plugin trac changeset 3391933, which modifies the SVG handling in the Blocksy Companion framework at trunk/framework/features/svg.php. Security practitioners should urge site owners to update the plugin beyond version 2.1.19 and review access controls for author roles.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-84359
Vulnerability details
The Blocksy Companion plugin for WordPress is vulnerable to authenticated arbitrary file upload in all versions up to, and including, 2.1.19. This is due to insufficient file type validation detecting SVG files, allowing double extension files to bypass sanitization while…
more
being accepted as a valid SVG file. This makes it possible for authenticated attackers, with author level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows authenticated arbitrary file upload to a public-facing WordPress application via insufficient SVG validation and double extensions, directly enabling exploitation of public-facing apps (T1190) and deployment of web shells for RCE (T1100).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring timely remediation of the known flaw in the Blocksy Companion plugin through patching.
Enforces robust input validation for file uploads to block arbitrary files disguised with double extensions or invalid SVGs.
Restricts author-level and equivalent roles from performing file uploads unless essential, reducing the attack surface for authenticated exploitation.