CVE-2025-11170 — AI Deep Analysis Summary

🚨 **Essence**: Unauthenticated Arbitrary File Upload in `Cpiwm_Import_Controller::import`.…

🛡️ **Root Cause**: Missing file type validation. <br>🔍 **CWE**: **CWE-434** (Unrestricted Upload of File with Dangerous Type). <br>❌ **Flaw**: The plugin accepts any file extension without checking if it's safe.

🏢 **Vendor**: kddiwebcommunications. <br>📦 **Product**: WP移行専用プラグイン for CPI. <br>📉 **Affected Versions**: **1.0.2 and earlier**. <br>🌐 **Platform**: WordPress.

💀 **Attacker Actions**: <br>1. Upload **arbitrary files** (PHP shells, scripts). <br>2. Execute code on the server. <br>3. Steal sensitive data. <br>4. Take over the entire WordPress site.…

📉 **Threshold**: **VERY LOW**. <br>🔑 **Auth**: **None required** (Unauthenticated). <br>⚙️ **Config**: Default installation is vulnerable. <br>🎯 **Ease**: Trivial for any attacker with network access.

🚀 **Exploit Available**: **YES**. <br>📂 **PoC**: Public on GitHub (`Nxploited/CVE-2025-11170`). <br>🌍 **Status**: Active exploitation risk is **HIGH** due to easy access.

🔍 **Self-Check**: <br>1. Scan for plugin: `WP移行専用プラグイン for CPI`. <br>2. Check version: Is it **≤ 1.0.2**? <br>3. Use scanners (e.g., WPScan) to detect **CWE-434** patterns in the import endpoint.

🛡️ **Fix Status**: <br>✅ **Patch**: Update to version **> 1.0.2** (if available). <br>📝 **Reference**: Check WordPress.org plugin page for updates.…

🚧 **Workaround (No Patch)**: <br>1. **Disable/Deactivate** the plugin immediately. <br>2. **Block** the import endpoint via WAF. <br>3. Restrict file uploads via `wp-config.php` or server config. <br>4.…

🔥 **Priority**: **CRITICAL (P1)**. <br>⏱️ **Urgency**: **IMMEDIATE ACTION**. <br>📢 **Reason**: Unauthenticated RCE via simple file upload. High impact, low effort for attackers. Patch or disable NOW.