CVE-2025-9321: 
WordPress vulnerability analysis and mitigation

The WPCasa plugin for WordPress contains a Code Injection vulnerability (CVE-2025-9321) affecting all versions up to and including 1.4.1. The vulnerability stems from insufficient input validation and restriction on the 'api_requests' function, allowing unauthenticated attackers to call arbitrary functions and execute code. This vulnerability was discovered and reported by mikemyers from Wordfence and was disclosed on September 23, 2025 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue exists in the api_requests function within the WPCasa plugin, specifically in the class-wpsight-api.php file. The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) (NVD, Wordfence).

Due to the critical nature of this vulnerability, successful exploitation could allow unauthenticated attackers to execute arbitrary code on affected WordPress installations. This could potentially lead to complete site compromise, data theft, or site defacement (NVD).

The vulnerability has been patched in version 1.4.2 of the WPCasa plugin. Site administrators are strongly advised to update to this version immediately. The fix includes improved input validation and restrictions on the api_requests function (Wordfence).