CVE-2025-48148 PoC — WordPress StoreKeeper for WooCommerce Plugin <= 14.4.4 - Arbitrary File Upload Vulnerability

Source

Associated Vulnerability

Description

StoreKeeper for WooCommerce <= 14.4.4 - Unauthenticated Arbitrary File Upload

Readme

# CVE-2025-48148
StoreKeeper for WooCommerce <= 14.4.4 - Unauthenticated Arbitrary File Upload

# 🚀 StoreKeeper for WooCommerce <= 14.4.4 - Unauthenticated Arbitrary File Upload Exploit

## 📝 Description

The **StoreKeeper for WooCommerce** plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 14.4.4.  
This allows unauthenticated attackers to upload arbitrary files to the affected site's server, potentially leading to remote code execution.

- **CVE:** CVE-2025-48148
- **CVSS:** 9.8 (Critical)

---

## 🛡️ Script Overview

**Script Name:** `CVE-2025-48148.py`

This script is a professional proof-of-concept exploit for CVE-2025-48148, designed to automate the process of uploading a webshell to vulnerable WordPress sites using the StoreKeeper for WooCommerce plugin.

### ⚡ Features & Workflow

- **Automatic Nonce Extraction:**  
  Fetches the required `nonce` token directly from the target URL, ensuring reliability even if the value changes.
- **Custom Shell Creation:**  
  Generates a stealthy, valid PNG file containing a minimal PHP webshell for remote command execution.
- **Advanced Bypass Techniques:**  
  Utilizes multiple HTTP header tricks (User-Agent, Referer, X-Forwarded-For, etc.) to evade security protections and WAFs.
- **Informative Logging:**  
  Provides clear, color-coded output for every stage (extraction, upload, response).
- **Minimal Input Required:**  
  Requires only the site URL; the script automatically determines the correct upload endpoint.
- **SSL Bypass:**  
  Optionally disables SSL verification for targets with self-signed certificates.
- **Debug Mode:**  
  Enables verbose output for troubleshooting or research scenarios.

---

## ⚙️ Usage

```bash
python3 CVE-2025-48148.py -u "http://target.com/wordpress/"
```

**Optional flags:**

- `--debug` &nbsp; Enable verbose output.
- `--insecure` &nbsp; Skip SSL certificate verification.

---

## ✅ Expected Output

- Nonce extraction status and value.
- Shell creation confirmation.
- Upload process status and HTTP response.
- Success message with accessible shell URL if possible.

Example:
```
[*] Extracting nonce...
[+] Nonce extracted: 66e372c7e0
[+] Shell file created: shell.php
[*] Uploading shell...
[+] Upload response:
{"success":true,"data":{"url":"http://target.com/wp-content/uploads/shell.php"}}
```

---

## 📬 Contact & Social

[![X](https://img.shields.io/badge/X-black.svg?logo=X&logoColor=white)](https://x.com/Nxploited)  
[![YouTube](https://img.shields.io/badge/YouTube-%23FF0000.svg?logo=YouTube&logoColor=white)](https://youtube.com/@Nxploited)  
📧 **Email:** [NxploitBot@gmail.com](mailto:NxploitBot@gmail.com)  
📨 **Telegram:** [@Kxploit](https://t.me/Kxploit)  

---

## ⚠️ Disclaimer

This script is provided for educational and authorized penetration testing purposes only.  
**The author is not responsible for any misuse or damage caused by this tool. Always obtain proper permission before testing any system.**

---

***By: Nxploited ( Khaled Alenazi )***

File Snapshot

 [4.0K]  /data/pocs/60d449a10e16d4166d8b7bfb49f13c7b5ad866ed
├── [3.5K]  CVE-2025-48148.py
├── [1.5K]  LICENSE
├── [3.0K]  README.md
└── [   9]  requirements.txt

1 directory, 4 files

Remarks