CVE-2025-52835

2025-12-30 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 30, 2025 - 17:15 nvd
N/A

Tags

WordPress PHP CSRF File Upload

Description

Cross-Site Request Forgery (CSRF) vulnerability in ConoHa by GMO WING WordPress Migrator wing-migrator allows Upload a Web Shell to a Web Server.This issue affects WING WordPress Migrator: from n/a through <= 1.2.0.

Analysis

CSRF vulnerability in WING WordPress Migrator plugin through version 1.2.0 permits unauthenticated attackers to upload web shells to affected WordPress sites by tricking site administrators into visiting a malicious webpage. The vulnerability exploits missing nonce verification in file upload functionality, enabling arbitrary code execution with web server privileges. No public exploit code or active exploitation confirmed at time of analysis.

Technical Context

WING WordPress Migrator is a WordPress plugin (CPE not explicitly provided but identifiable as wp-plugin-wing-migrator) that facilitates website migration tasks. The vulnerability stems from CWE-352 (Cross-Site Request Forgery), a common WordPress plugin flaw where sensitive actions like file uploads lack CSRF token validation (nonce checks). When a site administrator visits a crafted webpage controlled by an attacker, the attacker's browser can forge a request to the WordPress upload endpoint, bypassing normal access controls because the request appears to come from the authenticated admin session. Unlike typical CSRF flaws that modify data, this variant weaponizes the upload mechanism to place a web shell (executable code) on the server, escalating the attack from request forgery to remote code execution.

Affected Products

WING WordPress Migrator (wing-migrator) from version 1.0 through 1.2.0 is affected. The plugin is hosted on the WordPress plugin repository and identified by slug wing-migrator. Affected installations are WordPress sites running this plugin at version 1.2.0 or earlier. Additional affected version details (exact starting version) are not specified in available data but the advisory indicates the vulnerability exists across the affected range.

Remediation

Users must immediately upgrade WING WordPress Migrator to a version above 1.2.0 (exact patched version number not specified in provided data; check the official WordPress plugin repository or vendor advisory for the latest release). Until an update is available, administrators should disable or deactivate the plugin to prevent exploitation. Additionally, review site activity logs for suspicious file uploads or web shell presence, particularly .php files in unexpected locations (wp-content, wp-uploads). Refer to the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/wing-migrator/vulnerability/wordpress-wing-wordpress-migrator-plugin-1-1-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve for detailed patch release information and confirmation of fix availability.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-52835 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy