CVE-2025-9212: 
WordPress vulnerability analysis and mitigation

The WP Dispatcher plugin for WordPress (versions up to 1.2.0) was identified with a critical security vulnerability (CVE-2025-9212) on October 2, 2025. The vulnerability allows authenticated users with Subscriber-level access or higher to perform arbitrary file uploads due to missing file type validation in the wpdispatcherprocess_upload() function (NVD CVE, Wordfence Intel).

The vulnerability is classified with a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The security flaw stems from inadequate file type validation in the wpdispatcherprocess_upload() function. While the vulnerability allows for arbitrary file uploads, the presence of an .htaccess file in the directory provides some limitation to achieving remote code execution (NVD CVE).

The vulnerability enables authenticated attackers with Subscriber-level privileges or higher to upload arbitrary files to the affected site's server. While this could potentially lead to remote code execution, the presence of an .htaccess file provides some mitigation against full exploitation (NVD CVE).

Site administrators running WP Dispatcher version 1.2.0 or lower should update to a patched version when available. In the interim, it's recommended to review and potentially restrict user roles that have access to file upload functionality (NVD CVE).