CVE-2025-7847
Published: 31 July 2025
Summary
CVE-2025-7847 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Other ATLAS/OWASP Terms risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of information inputs such as file types during uploads, addressing the missing file type validation in rest_simpleFileUpload().
Mandates identification, reporting, and timely remediation of software flaws like this arbitrary file upload vulnerability through patching affected plugin versions.
Enforces restrictions on classes of information inputs to block dangerous file types, mitigating unrestricted uploads of arbitrary files via the REST API.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload in WordPress AI Engine plugin enables exploitation of public-facing application (T1190) and facilitates uploading web shells for remote code execution (T1100) and persistence (T1505.003).
NVD Description
The AI Engine plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the rest_simpleFileUpload() function in versions 2.9.3 and 2.9.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to…
more
upload arbitrary files on the affected site's server when the REST API is enabled, which may make remote code execution possible.
Deeper analysisAI
CVE-2025-7847 is an arbitrary file upload vulnerability in the AI Engine plugin for WordPress, affecting versions 2.9.3 and 2.9.4. The issue arises from missing file type validation in the rest_simpleFileUpload() function, allowing unauthorized file uploads to the server. It is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability when the WordPress REST API is enabled. By uploading arbitrary files, they can potentially achieve remote code execution on the affected site, compromising confidentiality, integrity, and availability.
Advisories and patch details are documented in WordPress plugin trac repositories, including code browser links for affected files in version 2.9.3 and changesets such as 3329842 that address the issue in the trunk. The Wordfence threat intelligence page provides further vulnerability analysis.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- The vulnerability affects the AI Engine plugin for WordPress, which provides AI-powered features like chatbots and content generation, fitting the Enterprise AI Assistants category as an AI integration for enterprise CMS platforms.