CVE-2018-25335

CRITICAL

WordPress Plugin Peugeot Music 1.0 Arbitrary File Upload

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25335. PoCs published by Mr.7z.

AI-analyzed exploit summary This exploit demonstrates an arbitrary file upload vulnerability in the Peugeot Music WordPress plugin (version 1.0) via a CSRF attack. It uploads a malicious file (e.g., a PHP shell) to the vulnerable endpoint, allowing remote code execution.

Description

WordPress Plugin Peugeot Music 1.0 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the upload.php endpoint. Attackers can upload files with arbitrary extensions by manipulating the 'name' parameter to execute code from the uploads directory.

Exploits (1)

exploitdb WORKING POC

by Mr.7z · textwebappsphp

https://www.exploit-db.com/exploits/44737

View Code ZIP pw:eip

This exploit demonstrates an arbitrary file upload vulnerability in the Peugeot Music WordPress plugin (version 1.0) via a CSRF attack. It uploads a malicious file (e.g., a PHP shell) to the vulnerable endpoint, allowing remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WordPress Plugin Peugeot Music 1.0

No auth needed

Prerequisites: Target running WordPress with Peugeot Music plugin 1.0 · Access to the vulnerable upload endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 17, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit exploit

ExploitDB-44737

https://www.exploit-db.com/exploits/44737

Third Party Advisory third-party-advisory

VulnCheck Advisory: WordPress Plugin Peugeot Music 1.0 Arbitrary File Upload

https://www.vulncheck.com/advisories/wordpress-plugin-peugeot-music-arbitrary-file-upload

Scores

CVSS v3 9.8

EPSS 0.0052

EPSS Percentile 39.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-306

Status published

Products (1)

peugeot-music-plugin/Peugeot Music 1.0

Published May 17, 2026

Tracked Since May 17, 2026