CVE-2025-9321CRITICAL 9.8EPSS p49.9%

CVE-2025-9321CVE-2025-9321

Description

The WPCasa plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.4.1. This is due to insufficient input validation and restriction on the 'api_requests' function. This makes it possible for unauthenticated attackers to call arbitrary functions and execute code.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.74% probability of exploitation · percentile 49.9% · 2026-06-18T12:00:27Z
Published2025-09-23
Last modified2026-04-15

Underlying weaknesses· 1

CWE-94

References

  1. https://plugins.trac.wordpress.org/browser/wpcasa/trunk/includes/class-wpsight-api.php#L48
  2. https://plugins.trac.wordpress.org/changeset/3365172/
  3. https://www.wordfence.com/threat-intel/vulnerabilities/id/c1001b2b-395a-44ee-827e-6e57f7a50218?source=cve

1

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2017-20251
CVE
CVE-2025-9697
CVE
CVE-2025-11170
CVE
CVE-2025-9501
CVE
CVE-2026-8981
CVE
CVE-2025-13035
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.