CVE-2025-9321

CriticalRCE

Published: 23 September 2025

Published

23 September 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0018 38.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9321 is a critical-severity Code Injection (CWE-94) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates the code injection by enforcing validation of inputs to the vulnerable 'api_requests' function.

SI-2 Flaw Remediation good match

prevent

Ensures timely remediation of the specific code injection flaw in the WPCasa plugin via patching as detailed in the changeset.

RA-5 Vulnerability Monitoring and Scanning partial match

prevent

Vulnerability scanning identifies the code injection issue in the plugin for proactive patching and mitigation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Direct unauthenticated RCE via crafted requests to a public-facing WordPress plugin API endpoint (CWE-94).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The WPCasa plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.4.1. This is due to insufficient input validation and restriction on the 'api_requests' function. This makes it possible for unauthenticated attackers to call…

arbitrary functions and execute code.

Deeper analysisAI

CVE-2025-9321 is a code injection vulnerability affecting the WPCasa plugin for WordPress in all versions up to and including 1.4.1. The flaw stems from insufficient input validation and restrictions in the 'api_requests' function within the plugin's codebase, specifically around line 48 in class-wpsight-api.php. This CWE-94 issue has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for remote code execution.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no privileges required. By sending crafted requests to the affected 'api_requests' function, they can call arbitrary PHP functions, leading to arbitrary code execution on the target server. Successful exploitation grants high confidentiality, integrity, and availability impacts, potentially allowing full server compromise.

Mitigation is addressed in WordPress plugin changeset 3365172, which patches the vulnerable code. Security practitioners should update the WPCasa plugin beyond version 1.4.1 immediately. Additional details on the vulnerability and remediation are available in the Wordfence threat intelligence advisory and the plugin's source code repository.