POC详情: cd675cc9bed3ba7a89014cdbf23948d88b8dccd6

来源
https://github.com/brokendreamsclub/CVE-2025-3515
关联漏洞
标题: WordPress plugin Drag and Drop Multiple File Upload for Contact Form 代码问题漏洞 (CVE-2025-3515)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Drag and Drop Multiple File Upload for Contact Form 7 1.3.8.9及之前版本存在代码问题漏洞,该漏洞源于文件类型验证不足,可能导致未经验证攻击者上传.phar等危险文件类
描述
WordPress File Upload RCE Exploit
介绍
# CVE-2025-3515 - WordPress File Upload RCE

## Usage

```bash
python3 exploit.py <target>
```

## Overview

**CVE-2025-3515** is a file upload vulnerability in the "Drag and Drop Multiple File Upload for Contact Form 7" WordPress plugin that allows unauthenticated attackers to upload malicious files and achieve remote code execution.

- **Plugin**: drag-and-drop-multiple-file-upload-contact-form-7
- **Affected Versions**: ≤ 1.3.8.9
- **Discovered by**: mikemyers (Wordfence)

## Technical details

### Vulnerable component
- **File**: `/inc/dnd-upload-cf7.php`
- **Function**: `dnd_upload_cf7_upload()` (line 856)

**Missing extensions in blacklist**: `.phar`, `.php5`, `.inc`

## Patch (Version 1.3.9.0) also appears to be vulnerable

### Additional findings

#### 1. File Write Operations
```php
// Line 107-108 - Potential path traversal
if ( $handle = fopen( $htaccess_file, 'w' ) ) {
    fwrite( $handle, "Options -Indexes \n <Files *.php> \n deny from all \n </Files>" );
```

#### 2. Log File Creation
```php
// Line 523-524 - Unvalidated log writing
$file = fopen( $uploads_dir['upload_dir']."/logs.txt", "a");
fwrite( $file, "\n". ( is_array( $message ) ? print_r( $message, true ) : $message ) );
```

## Detection

### File system indicators
```bash
# Search for suspicious uploads
find /wp-content/uploads/ -name "*.phar" -o -name "*.php5" -o -name "*.inc"

# Check for web shells
grep -r "system\|exec\|shell_exec" /wp-content/uploads/
```

### Log analysis
```bash
# Apache/Nginx access logs
grep "admin-ajax.php" /var/log/apache2/access.log | grep "dnd_codedropz_upload"

# WordPress debug logs
grep "dnd_upload_cf7_upload" /wp-content/debug.log
```

## References

- [Wordfence Threat Intelligence](https://www.wordfence.com/threat-intel/vulnerabilities/id/e1298242-61d2-49c1-bae7-96b5e12bd03d)
- [WordPress Plugin Repository](https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/)
- [Professor6T9 PoC](https://github.com/Professor6T9/CVE-2025-3515)
文件快照

 [4.0K]  /data/pocs/cd675cc9bed3ba7a89014cdbf23948d88b8dccd6
├── [ 11K]  exploit.py
├── [1.0K]  LICENSE
├── [2.0K]  README.md
└── [8.4K]  v1exploit.py

0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。