Share
## https://sploitus.com/exploit?id=5B67BBAC-60F0-5BD3-A2BF-A180527CEA00
# CVE-2025-6440 โ€” WordPress WooCommerce Dynamic Pricing & Discounts Plugin

## Overview

This repository contains a Python proof-of-concept (PoC) script for testing an **unauthenticated file upload vulnerability** affecting the WordPress WooCommerce Dynamic Pricing & Discounts plugin.

> โš ๏ธ This project is intended strictly for **authorized security testing**, **research**, and **educational purposes** only.

---

## Vulnerability Information

* **CVE ID:** CVE-2025-6440
* **Affected Component:** WordPress WooCommerce Dynamic Pricing & Discounts Plugin
* **Issue Type:** Unauthenticated File Upload
* **Impact:** Remote Code Execution (RCE)
* **Attack Vector:** Remote / Unauthenticated

The vulnerability allows attackers to upload arbitrary files through an exposed AJAX endpoint without authentication.

---

## Features

* Batch target processing from file input
* Multi-threaded execution
* Automatic upload verification
* Success and failure logging
* Simple CLI usage

---

## Requirements

* Python 3.8+
* `requests` library

Install dependencies:

```bash
pip install requests
```

---

## Files

| File                 | Description                 |
| -------------------- | --------------------------- |
| `CVE-2025-6440.py`   | Main PoC script             |
| `CVE-2025-6440.yaml` | YAML configuration/template |
| `success`            | Successful upload results   |
| `failed`             | Failed upload attempts      |

---

## Usage

Create a text file containing target URLs:

```txt
https://example.com
https://target-site.com
```

Run the script:

```bash
python3 CVE-2025-6440.py targets.txt
```

Run with custom thread count:

```bash
python3 CVE-2025-6440.py targets.txt --threads 10
```

---

## Output

### Successful Targets

Successful uploads are stored in:

```txt
success
```

### Failed Targets

Failed attempts are stored in:

```txt
failed
```

---

## How It Works

The script:

1. Reads a list of WordPress targets
2. Sends a crafted POST request to:

```txt
/wp-admin/admin-ajax.php
```

3. Uses the vulnerable AJAX action:

```txt
wcdp_save_canvas_design_ajax
```

4. Uploads a test PHP payload
5. Verifies whether the uploaded file is publicly accessible

---

## Disclaimer

This repository is provided for:

* Security research
* Educational purposes
* Authorized penetration testing
* Defensive security validation

Do not use this project against systems you do not own or have explicit permission to test.

The author assumes no liability and is not responsible for misuse or damage caused by this project.

---

## Legal Notice

Unauthorized exploitation of systems may violate local, national, and international laws.

Always obtain proper authorization before conducting security assessments.

---

## Mitigation Recommendations

Website administrators should:

* Update the vulnerable plugin immediately
* Restrict access to sensitive AJAX endpoints
* Disable arbitrary file uploads
* Monitor `/wp-content/uploads/` for suspicious files
* Deploy a Web Application Firewall (WAF)
* Enable server-side upload validation

---

## Educational Purpose Statement

This proof-of-concept was created to help:

* Security researchers
* Penetration testers
* Blue teams
* WordPress administrators

understand and validate the impact of insecure file upload vulnerabilities.

---

## Reference

* WordPress Security Advisories
* CVE Database
* OWASP File Upload Security Guidelines

---

## Author

Security Research / Educational Project