CVE-2025-11170

CRITICAL

WordPress WP移行専用プラグイン for CPI <= 1.0.2 - Unauthenticated File Upload Code Execution

Title source: manual

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-11170. PoCs published by Nxploited, Boshe99.

AI-analyzed exploit summary This is a functional exploit for CVE-2025-11170, targeting an unauthenticated arbitrary file upload vulnerability in the WP移行専用プラグイン for CPI WordPress plugin. The script uploads a shell via a crafted POST request to the vulnerable endpoint.

Description

The WP移行専用プラグイン for CPI plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the Cpiwm_Import_Controller::import function in all versions up to, and including, 1.0.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Exploits (2)

nomisec WORKING POC 2 stars

by Nxploited · poc

https://github.com/Nxploited/CVE-2025-11170

View Code ZIP pw:eip

This is a functional exploit for CVE-2025-11170, targeting an unauthenticated arbitrary file upload vulnerability in the WP移行専用プラグイン for CPI WordPress plugin. The script uploads a shell via a crafted POST request to the vulnerable endpoint.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WP移行専用プラグイン for CPI <= 1.0.2

No auth needed

Prerequisites: Target must have the vulnerable plugin installed and accessible · Network access to the target WordPress site

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WORKING POC

by Boshe99 · pythonpoc

https://github.com/Boshe99/CVE-Exploits/tree/main/CVE-2025-11170

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2025-11170, an unauthenticated arbitrary file upload vulnerability in the WP移行専用プラグイン for CPI WordPress plugin. The exploit automates the upload of a shell or arbitrary file to a vulnerable target via the `cpiwm_import` action in `admin-ajax.php`.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WP移行専用プラグイン for CPI <= 1.0.2

No auth needed

Prerequisites: Target must have the vulnerable plugin installed and accessible · Network access to the target's `wp-admin/admin-ajax.php` endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (2)

Core 2

Core References

Product

https://wordpress.org/plugins/cpi-wp-migration/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/8a96d6d5-a5e3-4648-902b-f9d1f8e57e5c?source=cve

Scores

CVSS v3 9.8

EPSS 0.0068

EPSS Percentile 47.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

kddiwebcommunications/WP移行専用プラグイン for CPI < 1.0.2

Published Nov 11, 2025

Tracked Since Feb 18, 2026