CVE-2025-9212: 
WordPress vulnerability analysis and mitigation

The WP Dispatcher plugin for WordPress (CVE-2025-9212) contains a vulnerability related to arbitrary file uploads, discovered and disclosed in October 2025. The vulnerability affects all versions up to and including 1.2.0 of the WP Dispatcher plugin. This security issue was identified and reported by Wordfence security researchers (NVD CVE, Wordfence Report).

The vulnerability stems from missing file type validation in the wpdispatcherprocess_upload() function. The security flaw has been assigned a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The weakness is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD CVE).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to upload arbitrary files to the affected site's server. While this could potentially lead to remote code execution, the presence of an .htaccess file in the directory provides some limitation to the execution capability (NVD CVE).

Site administrators running WP Dispatcher plugin version 1.2.0 or lower should update to a patched version when available. In the interim, it's recommended to restrict user roles and implement additional file upload restrictions (NVD CVE).