CVE-2025-9561
Published: 03 October 2025
Summary
CVE-2025-9561 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-9561 is an arbitrary file upload vulnerability in the AP Background plugin for WordPress, stemming from missing authorization checks and insufficient file validation in the advParallaxBackAdminSaveSlider() handler. It affects versions 3.8.1 through 3.8.2 of the plugin. The issue is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By leveraging the flawed handler, they can upload arbitrary files to the affected WordPress site's server, potentially enabling remote code execution depending on the file type and server configuration.
Advisories and related resources, including the Wordfence threat intelligence page, the plugin's WordPress.org listing, and the source code for version 3.8.2, provide additional details for assessment and response. Security practitioners should consult these for guidance on identifying affected installations and applying updates or workarounds.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-32520
Vulnerability details
The AP Background plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization and insufficient file validation within the advParallaxBackAdminSaveSlider() handler in versions 3.8.1 to 3.8.2. This makes it possible for authenticated attackers, with Subscriber-level access and…
more
above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload vulnerability in a public-facing WordPress plugin allows authenticated low-privilege attackers to achieve remote code execution, directly mapping to T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to system resources, directly addressing the missing authorization checks in the advParallaxBackAdminSaveSlider() handler that allow Subscriber-level users to upload arbitrary files.
Implements input validation mechanisms at entry points, comprehensively mitigating the insufficient file validation that enables arbitrary file uploads potentially leading to remote code execution.
Applies least privilege to restrict Subscriber-level and higher users from accessing upload handlers, preventing exploitation by limiting unnecessary permissions for such actions.