CVE-2025-12674

CRITICAL

KiotViet Sync <= 1.8.5 - Unauthenticated Arbitrary File Upload via create_media() Function

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-12674. PoCs published by Nxploited.

AI-analyzed exploit summary This is a Python-based exploit for CVE-2025-12674 targeting a vulnerability in KiotViet, allowing unauthenticated remote shell upload via a JSON API endpoint. The PoC automates the process of uploading a remote shell to vulnerable WordPress instances.

Description

The KiotViet Sync plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the create_media() function in all versions up to, and including, 1.8.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Exploits (1)

nomisec WORKING POC
by Nxploited · poc
https://github.com/Nxploited/CVE-2025-12674

This is a Python-based exploit for CVE-2025-12674 targeting a vulnerability in KiotViet, allowing unauthenticated remote shell upload via a JSON API endpoint. The PoC automates the process of uploading a remote shell to vulnerable WordPress instances.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: KiotViet (WordPress plugin)
No auth needed
Prerequisites: List of target URLs in a file · Remote shell URL (e.g., PHP shell hosted by attacker)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.0068
EPSS Percentile 47.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-434
Status published
Products (1)
mykiot/KiotViet Sync < 1.8.5
Published Nov 05, 2025
Tracked Since Feb 18, 2026