A critical vulnerability has been identified in the Doccure theme for WordPress, which allows an attacker to upload malicious files directly to the server. This flaw is due to improper validation of file types, enabling an unauthenticated attacker to bypass security checks and potentially gain complete control over the affected website, leading to data theft, website defacement, or further attacks against visitors.

The vulnerability exists within the doccure_temp_file_uploader function of the Doccure theme. This function fails to properly validate the type of files being uploaded, creating an arbitrary file upload vulnerability. An unauthenticated attacker can craft a malicious request to this function to upload a file with a dangerous extension (e.g., a PHP web shell). Once the malicious file is on the server, the attacker can access it via a web browser to execute arbitrary code with the permissions of the web server, leading to a full system compromise.

This vulnerability is rated as High severity with a CVSS score of 8.8. A successful exploit could have severe consequences for the business, including a complete compromise of the web server. This could lead to a breach of sensitive data such as customer information or internal documents, significant reputational damage, and financial loss from recovery costs and potential regulatory fines. Furthermore, the compromised server could be used as a platform to launch further attacks, distribute malware, or host phishing campaigns, exposing the organization to additional liability.

Immediate Action: Immediately update the Doccure WordPress theme to the latest version provided by the vendor, which addresses this vulnerability. If the theme is no longer required or maintained, it should be disabled and removed from the WordPress installation to eliminate the risk entirely.

Proactive Monitoring: Monitor web server access logs for suspicious POST requests to the endpoint associated with the doccure_temp_file_uploader function, particularly those involving file uploads with script extensions (.php, .phtml, etc.). Implement File Integrity Monitoring (FIM) to detect the creation of unexpected files in web-accessible directories. Monitor for unusual outbound network traffic from the web server, which could indicate a successful compromise.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules specifically designed to block the upload of executable file types. Additionally, configure web server permissions to prevent script execution in the uploads directory as a defense-in-depth measure.

Public Exploit Available: true

Given the high CVSS score of 8.8 and the public availability of exploit code, this vulnerability poses a critical and immediate threat. Successful exploitation grants an attacker full control of the affected website and underlying server. Although CVE-2025-9112 is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity and the ease of exploitation demand urgent action. We strongly recommend that organizations immediately apply the vendor-supplied patch or remove the vulnerable theme to prevent compromise.