CVE-2025-12189

MEDIUM

Bread & Butter: AI-Powered Lead Intelligence <= 7.11.1374 - Cross-Site Request Forgery via uploadImage() Function

Title source: llm

Description

The Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.11.1374. This is due to missing or incorrect nonce validation on the uploadImage() function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

References (5)

Core 5

Core References

https://plugins.trac.wordpress.org/changeset/3408692/bread-butter/trunk/src/Base/Ajax.php

Exploit

https://github.com/d0n601/CVE-2025-12189

View Exploit ZIP pw:eip

Product

https://plugins.trac.wordpress.org/browser/bread-butter/trunk/src/Base/Ajax.php#L411

Exploit

https://ryankozak.com/posts/cve-2025-12189/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/bb280004-e0ba-44c8-a205-8fec30900d86?source=cve

Scores

CVSS v3 4.3

EPSS 0.0027

EPSS Percentile 18.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-352

Status published

Products (3)

breadbutter/Bread & Butter: AI-Powered Lead Intelligence < 7.11.1374

breadbutter/bread_\&_butter < 7.11.1374

breadbutter/bread_and_butter < 7.10.1321

Published Dec 05, 2025

Tracked Since Feb 18, 2026