CVE-2025-12399

HIGH

Alex Reservations: Smart Restaurant Booking <2.2.3 - File Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-12399. PoCs published by d0n601.

AI-analyzed exploit summary The repository contains a functional exploit for CVE-2025-12399, an authenticated arbitrary file upload vulnerability in the Alex Reservations WordPress plugin. The exploit demonstrates uploading a malicious PHP file and executing remote commands.

Description

The Alex Reservations: Smart Restaurant Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /wp-json/srr/v1/app/upload/file REST endpoint in all versions up to, and including, 2.2.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Exploits (1)

github WORKING POC
by d0n601 · pythonpoc
https://github.com/d0n601/CVE-2025-12399

The repository contains a functional exploit for CVE-2025-12399, an authenticated arbitrary file upload vulnerability in the Alex Reservations WordPress plugin. The exploit demonstrates uploading a malicious PHP file and executing remote commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Alex Reservations: Smart Restaurant Booking <= 2.2.3
Auth required
Prerequisites: WordPress admin credentials · Alex Reservations plugin <= 2.2.3 installed
devstral-2 · analyzed May 17, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 7.2
EPSS 0.0056
EPSS Percentile 42.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-434
Status published
Products (1)
alexreservations/Alex Reservations: Smart Restaurant Booking < 2.2.3
Published Nov 08, 2025
Tracked Since Feb 18, 2026