CVE-2025-2005

CRITICAL

Front End Users <= 3.2.32 - Unauthenticated Arbitrary File Upload via Registration Form

Title source: llm

Exploitation Summary

EIP tracks 5 public exploits for CVE-2025-2005. PoCs published by Nxploited, cybersecplayground, mrmtwoj.

AI-analyzed exploit summary This repository contains a working proof-of-concept exploit for CVE-2025-2005, an arbitrary file upload vulnerability in the WordPress Front-End Users Plugin <= 3.2.32. The exploit includes both manual HTTP request and Python script methods to upload a PHP web shell.

Description

The Front End Users plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the file uploads field of the registration form in all versions up to, and including, 3.2.32. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Exploits (5)

nomisec WORKING POC 9 stars

by Nxploited · poc

https://github.com/Nxploited/CVE-2025-2005

View Code ZIP pw:eip

This repository contains a working proof-of-concept exploit for CVE-2025-2005, an arbitrary file upload vulnerability in the WordPress Front-End Users Plugin <= 3.2.32. The exploit includes both manual HTTP request and Python script methods to upload a PHP web shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WordPress Front-End Users Plugin <= 3.2.32

No auth needed

Prerequisites: Target running vulnerable WordPress Front-End Users Plugin · Access to a registration form rendered by the plugin

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WRITEUP 7 stars

by cybersecplayground · poc

https://github.com/cybersecplayground/PoC-and-CVE-Reports/tree/main/2025/Cve-2025-2005.md

View Code ZIP pw:eip

The repository contains detailed technical writeups for multiple CVEs, including command injection, XXE, SQLi, and RCE vulnerabilities. Each writeup provides vulnerability overviews, proof-of-concept examples, and mitigation recommendations.

Classification

Writeup 95%

Attack Type

Other

Complexity

Moderate

Reliability

Theoretical

Target: Various (e.g., account_mgr.cgi, Ivanti Connect Secure, Zabbix, Check Point VPN, Bricks Builder)

No auth needed

Prerequisites: Access to vulnerable endpoints · Basic understanding of exploit techniques

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC 3 stars

by mrmtwoj · poc

https://github.com/mrmtwoj/CVE-2025-2005

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-2005, targeting an arbitrary file upload vulnerability in the WordPress Front End Users plugin (versions up to 3.2.32). The exploit automates the discovery of registration forms and uploads a PHP shell to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WordPress Front End Users plugin <= 3.2.32

No auth needed

Prerequisites: Python 3.x · requests library · beautifulsoup4 library · target running vulnerable WordPress plugin

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WORKING POC

by Boshe99 · pythonpoc

https://github.com/Boshe99/CVE-Exploits/tree/main/CVE-2025-2005

View Code ZIP pw:eip

The repository contains functional exploit code for CVE-2025-2005, targeting an arbitrary file upload vulnerability in the WordPress Plugin 3DPrint Lite 1.9.1.4. The exploit demonstrates the ability to upload a malicious file to a vulnerable target.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WordPress Plugin 3DPrint Lite 1.9.1.4

No auth needed

Prerequisites: Vulnerable WordPress Plugin 3DPrint Lite 1.9.1.4 installed · Target URL · Malicious file to upload

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC

by h4ckxel · poc

https://github.com/h4ckxel/CVE-2025-2005

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-2005, an arbitrary file upload vulnerability in the WordPress Front-End Users plugin (versions <= 3.2.32). The exploit allows unauthenticated attackers to upload a PHP web shell via a registration form, leading to remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WordPress Front-End Users Plugin <= 3.2.32

No auth needed

Prerequisites: Target running vulnerable WordPress Front-End Users plugin · Access to the registration form endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3303083%40front-end-only-users&new=3303083%40front-end-only-users&sfp_email=&sfph_mail=

Product

https://wordpress.org/support/plugin/front-end-only-users/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/102223a1-07f5-485b-a6af-49cf316d9797?source=cve

Scores

CVSS v3 9.8

EPSS 0.1731

EPSS Percentile 96.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-434

Status published

Products (2)

etoilewebdesign/front_end_users < 3.2.32

rustaurius/Front End Users < 3.2.32

Published Apr 02, 2025

Tracked Since Feb 18, 2026