漏洞平台

POC详情： 9a551ea65bed2dcbe6d1fed60819fd94f064da9a

来源

https://github.com/B1ack4sh/Blackash-CVE-2025-4403

关联漏洞

标题： WordPress plugin Drag and Drop Multiple File Upload for WooCommerce 代码问题漏洞 (CVE-2025-4403)
描述：WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Drag and Drop Multiple File Upload for WooCommerce 1.1.6及之前版本存在代码问题漏洞，该漏洞源于upload函数未验证文件扩展名和MIME类型，可能导致任意文件上传。

描述

CVE-2025-4403

介绍

# CVE-2025-4403 : Unauthenticated Arbitrary File Upload Vulnerability in Drag and Drop Multiple File Upload for WooCommerce 🧬

---

### 🔍 Overview:

* **Title:** Arbitrary File Upload Vulnerability in "Drag and Drop Multiple File Upload for WooCommerce" (WordPress plugin)
* **Affected Versions:** All versions up to **1.1.6**
* **Fixed In:** Version **1.1.7**
* **Discovered By:** RIN MIYACHI
* **Analyzed By:** Wordfence

---

### ⚠️ Technical Impact:

* **Vulnerability Type:** Unauthenticated Arbitrary File Upload (CWE‑434)
* **Attack Vector:** Remote (no authentication required)
* **CVSS v3.1 Score:** 9.8 – **Critical ⚫**
* **Impact:**

  * Upload of arbitrary files (e.g., `.php`)
  * Remote code execution
  * Full server compromise

---

### 🛠️ Mitigation & Recommendations:

1. **Update** the plugin to version **1.1.7** immediately.
2. If not using the plugin, **remove or deactivate** it.
3. **Secure file uploads** by:

   * Enforcing MIME type and extension checks
   * Disabling file execution in upload directories
   * Logging and monitoring upload activity
4. **Restrict permissions** on upload folders (e.g., disable execution).

---

## Usage:

```
usage: python3 CVE-2025-4403.py
```

---

### Script Details:

### Requirements

+ Python 3.x
+ `requests` library

### Installation:

1. Clone the repository:

```
sudo git clone https://github.com/B1ack4sh/Blackash-CVE-2025-4403.git
cd Blackash-CVE-2025-4403
```

2. Install the required Python packages:

```
pip install requests
```

---

### 📝 Summary Table:

| 📛 Field     | 📌 Details                                       |
| ------------ | ------------------------------------------------ |
| Plugin       | Drag & Drop Multiple File Upload for WooCommerce |
| Vulnerable   | Versions ≤ 1.1.6                                 |
| Fixed In     | Version 1.1.7                                    |
| CVSS Score   | 9.8 (Critical)                                   |
| Exploit Type | Unauthenticated Arbitrary File Upload            |
| Risk         | Remote Code Execution, Full Site Compromise      |

---

### ⚠️ Disclaimer:

This script is intended for educational purposes only. Use it responsibly and only on systems for which you have explicit permission. Unauthorized use of this script is illegal and unethical !!!

文件快照


 [4.0K]  /data/pocs/9a551ea65bed2dcbe6d1fed60819fd94f064da9a
├── [3.7K]  CVE-2025-4403.py
└── [2.3K]  README.md

0 directories, 2 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。