CVE-2025-3917
📋 TL;DR
This vulnerability allows unauthenticated attackers to upload arbitrary files to WordPress sites using the 百度站长SEO合集 plugin. Attackers can potentially achieve remote code execution by uploading malicious files. All WordPress sites with this plugin installed up to version 2.0.6 are affected.
💻 Affected Systems
- 百度站长SEO合集(支持百度/神马/Bing/头条推送) WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through remote code execution, leading to data theft, defacement, or ransomware deployment.
Likely Case
Webshell upload leading to persistent backdoor access, data exfiltration, or site defacement.
If Mitigated
File upload attempts blocked or detected, with no successful exploitation.
🎯 Exploit Status
Simple HTTP POST request with malicious file upload. Public exploit code available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.7 or later
Vendor Advisory: https://wordpress.org/plugins/baiduseo/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find '百度站长SEO合集' plugin. 4. Click 'Update Now' if available. 5. If no update available, deactivate and delete plugin immediately.
🔧 Temporary Workarounds
Disable vulnerable plugin
allDeactivate and remove the vulnerable plugin from WordPress
wp plugin deactivate baiduseo
wp plugin delete baiduseo
Web Application Firewall rule
allBlock requests to the vulnerable endpoint
Block POST requests to */wp-content/plugins/baiduseo/inc/index/youhua.php*
🧯 If You Can't Patch
- Deactivate and remove the baiduseo plugin immediately
- Implement strict file upload restrictions at web server level
🔍 How to Verify
Check if Vulnerable:
Check WordPress plugin version: Navigate to Plugins page in WordPress admin and check baiduseo plugin versionCheck Version:
wp plugin list --name=baiduseo --field=versionVerify Fix Applied:
Verify plugin version is 2.0.7 or later, or confirm plugin is removed📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-content/plugins/baiduseo/inc/index/youhua.php
- File uploads to media library from unauthenticated users
- Unusual file types (.php, .exe) in uploads directory
Network Indicators:
- HTTP POST to vulnerable endpoint with file upload parameters
- Unusual outbound connections from web server
SIEM Query:
source="web_logs" AND uri="*youhua.php*" AND method="POST" AND status=200