POC详情: 484ea7f2e63263aff85fa4a9c7627ad135ac6c63

来源
https://github.com/quetuan03/CVE-2025-54677
关联漏洞
标题: WordPress plugin Online Booking & Scheduling Calendar for WordPress by vcita 代码问题漏洞 (CVE-2025-54677)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Online Booking & Scheduling Calendar for WordPress by vcita 4.5.3及之前版本存在安全漏洞,该漏洞源于上传危险类型文件不受限制,可能导致使用恶意文件。
描述
WordPress Online Booking & Scheduling Calendar for WordPress by vcita Plugin <= 4.5.3 is vulnerable to a medium priority Arbitrary File Upload
介绍
Sink: Weak check only checks Content-Type, which leads to RCE system arbitrary file upload vulnerability
<img width="1281" height="747" alt="image" src="https://github.com/user-attachments/assets/a82cecea-9919-47ed-9f71-b1522a74f6b9" />
PoC: Change the Content-Type field to image/png and the file signature to GIF87a
<img width="1919" height="1019" alt="image" src="https://github.com/user-attachments/assets/9fd43c57-412e-45f2-ae56-b0135c845ce8" />
<img width="928" height="470" alt="image" src="https://github.com/user-attachments/assets/9b2154f4-95ce-43e5-b943-89f5857cde6c" />
文件快照

 [4.0K]  /data/pocs/484ea7f2e63263aff85fa4a9c7627ad135ac6c63
└── [ 585]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。