CVE-2021-25003

CRITICAL EXPLOITED IN THE WILD NUCLEI

WPCargo Track & Trace < 6.9.0 - Unauthenticated Arbitrary File Write and Remote Code Execution

Title source: llm

Exploitation Summary

CVE-2021-25003 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 1 public exploit from researchers including biulove0x. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2021-25003, an unauthenticated RCE vulnerability in WPCargo < 6.9.0. The exploit leverages a PNG compression technique to inject malicious PHP code into a file, achieving remote command execution.

Description

The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE

Exploits (1)

nomisec WORKING POC 6 stars

by biulove0x · remote-auth

https://github.com/biulove0x/CVE-2021-25003

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-25003, an unauthenticated RCE vulnerability in WPCargo < 6.9.0. The exploit leverages a PNG compression technique to inject malicious PHP code into a file, achieving remote command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WPCargo < 6.9.0

No auth needed

Prerequisites: Target must have WPCargo plugin version < 6.9.0 installed · Target must be accessible via HTTP/HTTPS

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

WordPress WPCargo Track & Trace <6.9.0 - Remote Code Execution

CRITICALVERIFIEDby theamanrawat

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a

Scores

CVSS v3 9.8

EPSS 0.5615

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2023-11-30

InTheWild.io 2022-11-16

CWE

CWE-434 CWE-94

Status published

Products (1)

wptaskforce/wpcargo_track_\&_trace < 6.9.0

Published Mar 14, 2022

Tracked Since Feb 18, 2026