Introduction
Attackers can gain remote code execution on WordPress sites running the KiotViet Sync plugin simply by uploading a malicious file—no authentication required. This flaw affects e-commerce stores that rely on KiotViet POS and WooCommerce integration, putting both site integrity and customer data at risk.
KiotViet Sync is a WordPress plugin used primarily by small to mid-sized businesses in Southeast Asia to synchronize inventory, orders, and product data between KiotViet POS systems and WooCommerce. The plugin has around 600 active installations and serves a niche but critical function for its users.
Technical Information
CVE-2025-12674 is a critical vulnerability caused by missing file type validation in the create_media() function of the KiotViet Sync plugin. All versions up to and including 1.8.5 are affected (Wordfence).
The vulnerability allows an unauthenticated attacker to upload arbitrary files to the server. The core issue is that the plugin does not check the type or contents of uploaded files. An attacker can send a crafted HTTP POST request to the vulnerable endpoint, supplying a PHP script or other executable file. The plugin saves the file to a web-accessible directory (such as wp-content/uploads), where it can be accessed and executed by the attacker, resulting in remote code execution.
Common exploitation techniques include:
- Using double extensions (e.g.,
shell.php.jpg) to bypass naive extension checks - Spoofing the
Content-Typeheader to evade superficial MIME checks
The vulnerability is classified as CWE-434: Unrestricted Upload of File with Dangerous Type.
Affected Systems and Versions
- Product: KiotViet Sync WordPress plugin
- Affected versions: All versions up to and including 1.8.5
- Vulnerable configuration: Any WordPress site with the plugin enabled and accessible
Vendor Security History
KiotViet Sync has a record of multiple security issues:
- CVE-2025-32573: SQL injection vulnerability in versions up to 1.8.4
- Broken access control and webhook key exposure in recent versions
- Hard-coded password issues and insufficient input validation have also been reported
The vendor has not demonstrated prompt or transparent communication regarding security incidents, and patch response times have been slow based on available public sources.
