CVE-2025-12171: 
WordPress vulnerability analysis and mitigation

The RESTful Content Syndication plugin for WordPress contains a file upload vulnerability (CVE-2025-12171) discovered in versions 1.1.0 to 1.5.0. The vulnerability was disclosed on November 1, 2025, and affects the ingest_image() function due to missing file type validation (NVD).

The vulnerability stems from insufficient file type validation in the ingest_image() function, which allows authenticated users with Author-level access or higher to upload arbitrary files to the server. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The weakness is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD).

The vulnerability could enable authenticated attackers to upload arbitrary files to the affected site's server, potentially leading to remote code execution. However, exploitation requires the attacker to have access to a defined third-party server specified in the plugin's settings, making it more likely to be exploited by administrators with access to these settings rather than regular contributors (NVD).

The vulnerability has been patched in version 1.6.0 of the plugin, which includes security improvements to ensure only image files are downloaded and stored locally. The update was implemented thanks to responsible disclosure by Wordfence/kr0d (WordPress Plugin).