支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: 7c6ddc15ab5e9c6b9ee5d20cd32a48dec62e3365

来源
https://github.com/d0n601/CVE-2025-12399
关联漏洞
标题:WordPress plugin Alex Reservations: Smart Restaurant Booking 代码问题漏洞 (CVE-2025-12399)
Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin Alex Reservations: Smart Restaurant Booking 2.2.3及之前版本存在代码问题漏洞,该漏洞源于/wp-json/srr/v1/app/upload/file REST端点缺少
Description
Alex Reservations: Smart Restaurant Booking <= 2.2.3 - Authenticated (Admin+) Arbitrary File Upload
介绍
Alex Reservations: Smart Restaurant Booking <= 2.2.3 - Authenticated (Admin+) Arbitrary File Upload

The WordPress [Alex Reservations](https://wordpress.org/plugins/alex-reservations) plugin (versions 2.2.3 and prior) contains an arbitrary file upload vulnerability that allows authenticated WordPress administrators to upload malicious PHP files to the server, potentially leading to remote code execution.


## TL;DR Exploits

A POC [CVE-2025-12399.py](./CVE-2025-12399.py) is provided to demonstrate a remote attacker uploading `shell.php` and executing remote code:
```
python3 ./CVE-2025-12399.py https://TARGETSITE.com admin "$PASSWORD"                                                                                            
[+] Target: http://TARGETSITE.com
[+] Username: admin
[+] Nonce obtained: 022b25d0a5
[+] File uploaded successfully!
[+] Shell URL: https://TARGETSITE.com/wp-content/uploads/alex-reservations/2025/10/shell.php
[+] Command output:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```


## Technical Description

The vulnerability exists in the `UploadFileController.php` file at the `/wp-json/srr/v1/app/upload/file` endpoint. The upload functionality lacks proper file validation and only performs basic filename sanitization using a regex pattern. This allows authenticated WordPress administrators to upload arbitrary files, including PHP files that can be executed on the server.

### Attack Path Analysis

**Source**: User input from `$_FILES['file']` ([line 13](https://plugins.trac.wordpress.org/browser/alex-reservations/trunk/includes/application/Alexr/Http/Controllers/UploadFileController.php#L13))
**Sink**: `copy($file['tmp_name'], $target_dir_file)` ([line 38](https://plugins.trac.wordpress.org/browser/alex-reservations/trunk/includes/application/Alexr/Http/Controllers/UploadFileController.php#L38))

The vulnerability occurs because:

1. **Route Registration**: The upload endpoint is registered in [`routes.php`](https://plugins.trac.wordpress.org/browser/alex-reservations/trunk/includes/application/Alexr/routes/routes.php#L294).
2. **Controller Access**: The `UploadFileController` extends the base `Controller`.
3. **Input Processing**: User-controlled file data from `$_FILES['file']` is directly processed without validation.
4. **File Handling**: Only basic filename sanitization is applied using regex: `preg_replace('/[^a-z0-9_\.\-[:space:]]/i', '_', $file_name)` ([line 50](https://plugins.trac.wordpress.org/browser/alex-reservations/trunk/includes/application/Alexr/Http/Controllers/UploadFileController.php#L50))
5. **File Storage**: Files are saved to `wp-content/uploads/alexr-uploads/YYYY/MM/` without MIME type validation or file extension restrictions.

### Vulnerable Code Location

**File**: [`includes/application/Alexr/Http/Controllers/UploadFileController.php`](https://plugins.trac.wordpress.org/browser/alex-reservations/trunk/includes/application/Alexr/Http/Controllers/UploadFileController.php)
**Lines**: [11-53](https://plugins.trac.wordpress.org/browser/alex-reservations/trunk/includes/application/Alexr/Http/Controllers/UploadFileController.php#L11)

```php
public function upload(Request $request)
{
    $file = $_FILES['file'];  // SOURCE: User input ([line 13](https://plugins.trac.wordpress.org/browser/alex-reservations/trunk/includes/application/Alexr/Http/Controllers/UploadFileController.php#L13))
    
    // Target dir / url
    $upload_dir = wp_upload_dir();
    $date = evavel_date_now()->format('Y/m');
    $base_dir = $upload_dir['basedir'].'/'.ALEXR_UPLOAD_FOLDER.'/'.$date;
    $base_url = $upload_dir['baseurl'].'/'.ALEXR_UPLOAD_FOLDER.'/'.$date;

    if (!file_exists($base_dir)) {
        $folder_created = wp_mkdir_p($base_dir);
        if (!$folder_created) {
            return $this->response([
                'success' => false,
                'error' => __eva('Error creating folder.')
            ]);
        }
    }

    $file_name = $file['name'];
    $file_name = preg_replace('/[^a-z0-9_\.\-[:space:]]/i', '_', $file_name);  // Only basic sanitization ([line 50](https://plugins.trac.wordpress.org/browser/alex-reservations/trunk/includes/application/Alexr/Http/Controllers/UploadFileController.php#L50))

    $target_dir_file = $base_dir.'/'.$file_name;
    $target_url_file = $base_url.'/'.$file_name;

    $result = copy($file['tmp_name'], $target_dir_file);  // SINK: Direct file copy ([line 38](https://plugins.trac.wordpress.org/browser/alex-reservations/trunk/includes/application/Alexr/Http/Controllers/UploadFileController.php#L38))

    if (!$result) {
        return $this->response([
            'success' => false,
            'error' => __eva('Error saving file.')
        ]);
    }

    return $this->response([
        'success' => true,
        'file_path' => $target_dir_file,
        'file_url' => $target_url_file,
        'message' => __eva('Uploaded.')
    ]);
}
```
文件快照

 [4.0K]  /data/pocs/7c6ddc15ab5e9c6b9ee5d20cd32a48dec62e3365
├── [2.8K]  CVE-2025-12399.py
└── [4.8K]  README.md

1 directory, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。