[New Templates] Add 5 WordPress Critical CVE Templates (Round 5 - 2025)

[eyangfeng88-arch]

New Nuclei Templates: WordPress 2025 Critical Vulnerabilities (Round 5)

This PR adds 5 high-impact detective templates for unauthenticated critical vulnerabilities discovered in 2025, optimized for maximum reliability and WAF bypass.

??? Templates Added

#	CVE ID	Plugin/Theme	Severity	Type
1	CVE-2025-54738	Jobmonster Theme	Critical (9.8)	Auth Bypass (Admin)
2	CVE-2025-5947	Service Finder Bookings	Critical (9.8)	Auth Bypass (Admin)
3	CVE-2025-7384	Database for Contact Form 7	Critical (9.8)	PHP Object Injection (RCE)
4	CVE-2025-23921	Multi Uploader for Gravity	Critical (9.8)	Arbitrary File Upload
5	CVE-2025-24759	WP-BusinessDirectory	High (8.8)	SQL Injection

? Implementation Highlights (Gold Standard)

• Auth Bypass Verification: Uses header wordpress_logged_in and body id="wpadminbar" for precise confirmation.
• RCE Safety (7384): Implements safe object instantiation to verify the deserialization sink without harmful payloads.
• AFU Stealth: Uses {{randstr}} dynamic naming to prevent file collisions.
• Resilient Versioning: Handles hidden readme.txt gracefully using (|| !version) logic.
• Metadata Compliance: Tags sorted alphabetically, correct CWE/CVSS mapping.

? Quality Audit Results

• Format (Audit-B): PASS
• Security Logic (Audit-C): PASS
• Practical Exploitability (Expert-D): PASS
• Metadata Compliance (Expert-E): PASS

Submitted by author alita-p8.

[neo-by-projectdiscovery-dev]

Neo - Nuclei Template Review

No security issues found

Hardening Notes

• Author addressed all blocking issues from initial review - good progress
• Remaining issues are metadata accuracy and documentation gaps, not template syntax errors
• CVE-2025-23921 and CVE-2025-5947 are production-ready
• CVE-2025-7384 passive detection is appropriate given lack of universal POP chain

_{Comment @pdneo help for available commands. · Open in Neo}