Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-28915 PoC — WordPress plugin ThemeEgg ToolKit 代码问题漏洞

Source
https://github.com/Nxploited/CVE-2025-28915
Associated Vulnerability
Title:WordPress plugin ThemeEgg ToolKit 代码问题漏洞 (CVE-2025-28915)
Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin ThemeEgg ToolKit 1.2.9及之前版本存在代码问题漏洞,该漏洞源于允许上传危险类型文件,可能导致上传Web Shell。
Description
WordPress ThemeEgg ToolKit plugin <= 1.2.9 - Arbitrary File Upload vulnerability
Readme
# CVE-2025-28915 - WordPress ThemeEgg ToolKit Arbitrary File Upload Exploit

## 📌 Description
An **Unrestricted File Upload** vulnerability in the **ThemeEgg ToolKit** plugin for WordPress (versions **≤ 1.2.9**) allows **authenticated attackers** to upload **web shells** to the server. This can lead to **remote code execution (RCE)**, complete website takeover, and compromise of sensitive data.

- **CVE ID**: [CVE-2025-28915](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-28915)
- **Severity**: 🔴 Critical (CVSS: 9.1)
- **Affected Versions**: ThemeEgg ToolKit **≤ 1.2.9**
- **Attack Vector**: Authenticated, requires WordPress user with sufficient privileges
- **Impact**: Full server compromise, code execution, data exfiltration

---

## 🔥 Exploit Overview
This script automates the exploitation of **CVE-2025-28915** by:
1. **Checking the plugin version** to confirm vulnerability.
2. **Logging in to WordPress** using provided credentials.
3. **Extracting security nonce** required for authentication.
4. **Uploading a PHP Web Shell** via the vulnerable endpoint.
5. **Providing the shell URL** for post-exploitation.

---

## 🚀 Usage

### **Prerequisites:**
- Python 3.x
- `requests`, `beautifulsoup4`

### **Installation:**
```bash
pip install requests beautifulsoup4
```

### **Command Example:**
```bash
python CVE-2025-28915.py -u http://192.168.100.74:888/wordpress -un admin -p password123
```

### **Arguments:**
| Argument   | Description |
|------------|-------------|
| `-u` | Target WordPress URL (e.g., `http://target.com/wordpress`) |
| `-un` | WordPress username |
| `-p` | WordPress password |

---

## 🎯 Exploit Output Example
```plaintext
[+] Vulnerable version detected: 1.2.9
[+] Logged in successfully.
[+] Found security nonce: f82467a997
[*] Uploading Web Shell...
[+] Web Shell uploaded successfully!
[+] Potential Web Shell location: http://target.com/wp-content/uploads/2025/03/shell.php
[*] Test command: http://target.com/wp-content/uploads/2025/03/shell.php?cmd=id
```

---

## ⚠️ Mitigation
- **Upgrade** ThemeEgg ToolKit to a patched version (>1.2.9).
- **Restrict file uploads** to allow only necessary file types.
- **Implement security plugins** that block unauthorized file uploads.
- **Monitor logs** for suspicious activity.

---

## 📜 Legal Disclaimer
**This script is for educational and authorized security testing purposes only. Unauthorized use is illegal and unethical. The author assumes no liability for misuse.** 

*By: Khaled Alenazi (Nxploit)*
File Snapshot

 [4.0K]  /data/pocs/099fd03d5b1e5b560e955d3d7c50571f7967ff00
├── [4.4K]  CVE-2025-28915.py
└── [2.5K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.