Cyber Resilience

CVE-2025-9561

High

Published: 03 October 2025

Published
03 October 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0036 58.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9561 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-9561 is an arbitrary file upload vulnerability in the AP Background plugin for WordPress, stemming from missing authorization checks and insufficient file validation in the advParallaxBackAdminSaveSlider() handler. It affects versions 3.8.1 through 3.8.2 of the plugin. The issue is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By leveraging the flawed handler, they can upload arbitrary files to the affected WordPress site's server, potentially enabling remote code execution depending on the file type and server configuration.

Advisories and related resources, including the Wordfence threat intelligence page, the plugin's WordPress.org listing, and the source code for version 3.8.2, provide additional details for assessment and response. Security practitioners should consult these for guidance on identifying affected installations and applying updates or workarounds.

EU & UK References

Vulnerability details

The AP Background plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization and insufficient file validation within the advParallaxBackAdminSaveSlider() handler in versions 3.8.1 to 3.8.2. This makes it possible for authenticated attackers, with Subscriber-level access and…

more

above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Arbitrary file upload vulnerability in a public-facing WordPress plugin allows authenticated low-privilege attackers to achieve remote code execution, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-56975Shared CWE-434
CVE-2019-25580Shared CWE-434
CVE-2026-27636Shared CWE-434
CVE-2026-4809Shared CWE-434
CVE-2020-37090Shared CWE-434
CVE-2026-24729Shared CWE-434
CVE-2026-28289Shared CWE-434
CVE-2026-1730Shared CWE-434
CVE-2023-50897Shared CWE-434
CVE-2025-70457Shared CWE-434

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly addressing the missing authorization checks in the advParallaxBackAdminSaveSlider() handler that allow Subscriber-level users to upload arbitrary files.

prevent

Implements input validation mechanisms at entry points, comprehensively mitigating the insufficient file validation that enables arbitrary file uploads potentially leading to remote code execution.

prevent

Applies least privilege to restrict Subscriber-level and higher users from accessing upload handlers, preventing exploitation by limiting unnecessary permissions for such actions.

References