Introduction
Attackers with Author-level credentials can upload malicious files to vulnerable WordPress sites, potentially leading to remote code execution if the server is misconfigured. This vulnerability affects the URL Image Importer plugin, a tool designed to simplify media management for WordPress by allowing users to import images from external URLs directly into the media library.
About the plugin and vendor: URL Image Importer is developed by Infinite Uploads, a company focused on WordPress media management solutions. The plugin was first released in January 2025 and is part of a suite of tools aimed at streamlining file handling for WordPress administrators and agencies. While not as widely adopted as some legacy plugins, it addresses a common workflow need in the WordPress ecosystem.
Technical Information
CVE-2025-12138 is an arbitrary file upload vulnerability in the URL Image Importer plugin for WordPress, affecting all versions up to and including 1.0.6. The vulnerability resides in the uimptr_import_image_from_url() function, which is responsible for importing images from user-supplied URLs. The function relies on the Content-Type HTTP header provided by the user to validate the file type. This approach is insecure because the Content-Type header can be easily manipulated by an attacker.
The vulnerable code path writes the file to the server before performing adequate validation. This means that an attacker with Author-level access or higher can submit a request with a crafted Content-Type header (such as image/jpeg) while actually uploading a file containing executable PHP code. If the server is configured to execute PHP files in the uploads directory, this can result in remote code execution.
Relevant code locations:
The root cause is insufficient server-side validation of file content and overreliance on user-supplied HTTP headers. The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type).
Affected Systems and Versions
- Product: URL Image Importer plugin for WordPress
- Affected versions: All versions up to and including 1.0.6
- Vulnerable configuration: Any WordPress site with the plugin installed and active, where users with Author-level or higher access can use the import feature
Vendor Security History
No prior major vulnerabilities have been reported in the URL Image Importer plugin or other Infinite Uploads products. The vendor released a patched version (1.0.7) promptly after disclosure.
