– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-68905 (metadata-based):
This vulnerability is an authenticated Local File Inclusion (LFI) flaw in the JNews – Pay Writer WordPress plugin up to version 11.0.0. Attackers with subscriber-level or higher privileges can exploit it to include and execute arbitrary files on the server. The flaw resides in a plugin component that fails to properly validate user-supplied file paths, leading to critical server-side code execution.

Atomic Edge research infers the root cause is improper sanitization of a file path parameter used in a PHP include or require statement (CWE-98). The vulnerability description confirms attackers can include arbitrary files, including uploaded images, to execute PHP code. Without a code diff, this conclusion is inferred from the CWE classification and the described impact. The plugin likely passes unsanitized user input directly to a file inclusion function like `include()` or `require_once()`.

Exploitation likely involves a POST or GET request to a WordPress AJAX handler or a specific plugin endpoint. An authenticated attacker would send a request containing a malicious file path parameter. The payload could traverse directories (e.g., `../../../wp-config.php`) or include previously uploaded files containing PHP code. A common WordPress pattern is an AJAX action like `jnews_pay_writer_action` at `/wp-admin/admin-ajax.php`. The attacker-controlled parameter, perhaps named `file` or `template`, would contain the local file path.

Remediation requires implementing strict validation and sanitization on any user-controlled input used for file operations. The patched version should restrict file inclusion to a whitelist of allowed files within a safe directory. Input must be validated against path traversal sequences. The plugin should also enforce proper capability checks, though authentication is already required. Using WordPress functions like `sanitize_file_name()` and `realpath()` with a base directory check is a standard fix.

The impact of successful exploitation is severe. Attackers can read sensitive files like `wp-config.php` to compromise database credentials. They can execute arbitrary PHP code on the server by including uploaded files, leading to full site takeover. This vulnerability bypasses access controls and can serve as a privilege escalation vector, enabling attackers to perform actions beyond their assigned subscriber role.