CVE-2025-9321

CRITICAL 9.8

WPCasa <= 1.4.1 - Unauthenticated Code Injection

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

The WPCasa plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.4.1. This is due to insufficient input validation and restriction on the 'api_requests' function. This makes it possible for unauthenticated attackers to call arbitrary functions and execute code.

CWE	CWE-94
Vendor	wpsight
Product	wpcasa
Published	Sep 23, 2025
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for wpsight wpcasa

Be the first to know when new critical vulnerabilities affecting wpsight wpcasa are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

wpsight / WPCasa

0 ≤ 1.4.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/c1001b2b-395a-44ee-827e-6e57f7a50218?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wpcasa/trunk/includes/class-wpsight-api.php#L48 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3365172/

Credits

Michael Mazzolini