CVE-2025-12673

CRITICAL

Flex QR Code Generator <1.2.6 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-12673. PoCs published by d0n601.

AI-analyzed exploit summary The repository provides a functional exploit for CVE-2025-12673, demonstrating an unauthenticated arbitrary file upload vulnerability in the Flex QR Code Generator WordPress plugin. The exploit leverages the `update_qr_code` AJAX endpoint to upload a malicious PHP file, leading to remote code execution.

Description

The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_qr_code() function in all versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Exploits (1)

nomisec WORKING POC
by d0n601 · poc
https://github.com/d0n601/CVE-2025-12673

The repository provides a functional exploit for CVE-2025-12673, demonstrating an unauthenticated arbitrary file upload vulnerability in the Flex QR Code Generator WordPress plugin. The exploit leverages the `update_qr_code` AJAX endpoint to upload a malicious PHP file, leading to remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Flex QR Code Generator WordPress plugin <= 1.2.6
No auth needed
Prerequisites: Target must have the Flex QR Code Generator plugin installed and activated
devstral-2 · analyzed May 09, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 9.8
EPSS 0.0063
EPSS Percentile 45.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-434
Status published
Products (2)
ajitdas/Flex QR Code Generator < 1.2.6
ajitdas/Flex QR Code Generator < 1.2.7
Published Dec 06, 2025
Tracked Since Feb 18, 2026