Cyber Resilience

CVE-2025-9321

CriticalRCE

Published: 23 September 2025

Published
23 September 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0029 52.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9321 is a critical-severity Code Injection (CWE-94) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-9321 is a code injection vulnerability affecting the WPCasa plugin for WordPress in all versions up to and including 1.4.1. The flaw stems from insufficient input validation and restrictions in the 'api_requests' function within the plugin's codebase, specifically around line 48 in class-wpsight-api.php. This CWE-94 issue has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for remote code execution.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no privileges required. By sending crafted requests to the affected 'api_requests' function, they can call arbitrary PHP functions, leading to arbitrary code execution on the target server. Successful exploitation grants high confidentiality, integrity, and availability impacts, potentially allowing full server compromise.

Mitigation is addressed in WordPress plugin changeset 3365172, which patches the vulnerable code. Security practitioners should update the WPCasa plugin beyond version 1.4.1 immediately. Additional details on the vulnerability and remediation are available in the Wordfence threat intelligence advisory and the plugin's source code repository.

EU & UK References

Vulnerability details

The WPCasa plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.4.1. This is due to insufficient input validation and restriction on the 'api_requests' function. This makes it possible for unauthenticated attackers to call…

more

arbitrary functions and execute code.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated RCE via crafted requests to a public-facing WordPress plugin API endpoint (CWE-94).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-13773Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2026-30643Shared CWE-94
CVE-2026-30460Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2024-13792Shared CWE-94
CVE-2020-37052Shared CWE-94
CVE-2026-42555Shared CWE-94
CVE-2025-65037Shared CWE-94

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the code injection by enforcing validation of inputs to the vulnerable 'api_requests' function.

prevent

Ensures timely remediation of the specific code injection flaw in the WPCasa plugin via patching as detailed in the changeset.

prevent

Vulnerability scanning identifies the code injection issue in the plugin for proactive patching and mitigation.

References