漏洞平台

POC详情： 3b12a5edb4919716d99aae2deef2a3fb022e6d07

来源

https://github.com/LvL23HT/PoC-CVE-2025-3914-Aeropage-WordPress-File-Upload

关联漏洞

标题： WordPress plugin Aeropage Sync for Airtable 代码问题漏洞 (CVE-2025-3914)
描述：WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Aeropage Sync for Airtable 3.2.0及之前版本存在代码问题漏洞，该漏洞源于缺少文件类型验证，可能导致任意文件上传。

描述

CVE-2025-3914-PoC | The Aeropage Sync for Airtable WordPress plugin (≤ v3.2.0) is vulnerable to authenticated arbitrary file uploads due to insufficient file type validation in the aeropage_media_downloader function.

介绍

# **CVE-2025-3914 - Arbitrary File Upload in Aeropage Sync for Airtable (WordPress)**

## **Description**
The **Aeropage Sync for Airtable** WordPress plugin (≤ v3.2.0) is vulnerable to **authenticated arbitrary file uploads** due to insufficient file type validation in the `aeropage_media_downloader` function.  

- **Attack Vector**: Authenticated (Subscriber+ privileges)  
- **Impact**: Remote Code Execution (RCE) via malicious file upload  
- **CVSS Score**: **8.8 (High)**  
- **CVE ID**: **CVE-2025-3914**  

## **Vulnerable Code**
The plugin fails to properly validate:  
1. **File extensions**  
2. **MIME types** (`$mediaObject['type']` only checks superficial headers)  
3. **File content** (no magic byte verification)  

### **Key Vulnerable Functions**  
```php
// Insufficient MIME check (bypassable)
if(aeropageValidateMediaType($mediaObject['type'], $mimeTypes) == false){...}

// Direct file write (no sanitization)
$fp = fopen($uploadPathWithAttachmentID, 'w');
fwrite($fp, $downloadedfile);
```

## **Proof of Concept (PoC)**
### **Requirements**
- Python 3.x + `requests`  
- Valid **Subscriber-level** WordPress credentials  

### **Exploit Steps**
1. **Authenticate** as a low-privilege user (Subscriber)  
2. **Upload** a malicious `.php` file disguised as an image  
3. **Execute** arbitrary code via the uploaded file  

```bash
python3 CVE-2025-3914-PoC.py -u http://vulnerable-site.com -l subscriber -p password123
```

## **Mitigation**
1. **Update** to plugin version **> 3.2.0** (if available)  
2. **Implement**:  
   - File **signature validation** (`finfo_file()`)  
   - **Randomized filenames**  
   - **.htaccess** restrictions in upload directories  

## **References**
- [CVE-2025-3914](https://nvd.nist.gov/vuln/detail/CVE-2025-3914)  
- [OWASP Unrestricted File Upload](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload)  


---

### **Key Improvements Over Generic PoC**
1. **WordPress-specific authentication** (handles cookies/nonces)  
2. **Fake JPEG header** + PHP payload (bypasses superficial checks)  
3. **Automatic URL extraction** from response (if possible)  
4. **Subscriber-level focus** (matches CVE details)  

### **Usage**
```bash
python3 CVE-2025-3914-PoC.py -u http://wp-site.com -l subscriber -p password123
```

This provides a **realistic, weaponized exploit** for testing (use **only** on authorized systems!). Let me know if you'd like additional refinements. 🔥

文件快照


 [4.0K]  /data/pocs/3b12a5edb4919716d99aae2deef2a3fb022e6d07
├── [2.0K]  CVE-2025-3914-PoC.py
├── [1.0K]  LICENSE
└── [2.4K]  README.md

0 directories, 3 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。