CVE-2025-9321
WPCasa <= 1.4.1 - Unauthenticated Code InjectionThe WPCasa plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.4.1. This is due to insufficient input validation and restriction on the 'api_requests' function. This makes it possible for unauthenticated attackers to call arbitrary functions and execute code.
We have discovered 356 live websites that are affected by CVE-2025-9321.
Affected Software
| Product |  Wpcasa |
| Category | Wordpress Plugins |
| Vulnerable Domains | 356 live websites (92% of Wpcasa install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 14 versions ( 93% of all versions) |
Common Weakness Enumeration
CWE-94 Improper Control of Generation of Code ('Code Injection')Details
- Published - Sep 23, 2025
- Updated - Sep 23, 2025
Credits
- Michael Mazzolini (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-9321 United States | 110 websites |
 Germany | 74 websites |
 Spain | 34 websites |
 Australia | 28 websites |
 Italy | 20 websites |
 France | 16 websites |
 Russia | 8 websites |
 GB | 6 websites |
 New Zealand | 6 websites |
 Cyprus | 5 websites |
Website Distribution by TLD
Number of websites using CVE-2025-9321| .com | 121 websites |
| .com.au | 81 websites |
| .de | 48 websites |
| .it | 13 websites |
| .es | 13 websites |
| .ru | 7 websites |
| .net | 6 websites |
| .at | 5 websites |
| .ch | 3 websites |
| .eu | 3 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-9321
Top websites that are affected by CVE-2025-9321. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ********.***.au | Australia | **,*** | |
| ***********.de | Germany | *,***,*** | |
| *************.de | Germany | *,***,*** | |
| *********.de | Germany | *,***,*** | |
| ************.com | Italy | *,***,*** | |
| **********.**.nz | New Zealand | *,***,*** | |
| ********************.com | United States | *,***,*** | |
| ************************.de | Germany | *,***,*** | |
| ***************.de | Germany | *,***,*** | |
| *************.**.nz | New Zealand | *,***,*** |
FAQ
CVE-2025-9321 is Improper Control of Generation of Code ('Code Injection') in Wpcasa
A total of 356 websites have been identified as vulnerable to CVE-2025-9321, based on global website indexing conducted by WebTechSurvey.
The Wpcasa is affected by the CVE-2025-9321 vulnerability.
Wpcasa versions up to and including 1.4.1 are vulnerable to CVE-2025-9321.