Executive Summary

CVE-2025-14545 affects the WordPress plugin "YML for Yandex Market" versions prior to 5.0.26 and allows Remote Code Execution (RCE) via the feed generation process.

The vulnerability occurs because user input in the "Change domain to" field during feed creation is not properly sanitized, which enables injection of PHP code.

An attacker with Shop Manager role access can create a malicious feed by inserting PHP code into this field, manipulate the feed file extension to .php, and then execute arbitrary system commands by accessing the generated feed URL.

This vulnerability is classified as Remote Code Execution (RCE), CWE-94 (Improper Control of Generation of Code), and corresponds to OWASP Top 10 A1: Injection.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with Shop Manager access to execute arbitrary system commands on the server hosting the WordPress site.

Such Remote Code Execution can lead to full compromise of the server, including data theft, defacement, installation of malware, or further attacks within the network.

The attacker can also relocate the malicious PHP file to executable directories, increasing the risk and persistence of the attack.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your WordPress site is running the YML for Yandex Market plugin version prior to 5.0.26 and by verifying if any malicious feed files have been created and are accessible.

To detect exploitation attempts or presence of malicious files, you can look for PHP files named like "shell.php" or other suspicious feed files in the uploads directory or other executable directories.

Suggested commands to detect suspicious files on your server include:

• Find PHP files in the uploads directory: `find /path/to/wordpress/wp-content/uploads/ -name '*.php'`
• Check for recently modified or created PHP files: `find /path/to/wordpress/wp-content/uploads/ -name '*.php' -mtime -30` (files modified in the last 30 days)
• Search web server logs for requests to suspicious feed URLs, e.g., requests containing ".php?0=" which may indicate command execution attempts.
• Use curl or wget to test if a suspicious feed URL executes commands, for example: `curl 'http://example.com/wp-content/uploads/shell.php?0=whoami'`

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and most effective mitigation step is to update the YML for Yandex Market WordPress plugin to version 5.0.26 or later, where this vulnerability is fixed.

Additionally, you should:

• Remove any suspicious or unknown PHP files from the uploads and other executable directories.
• Restrict file upload permissions and disable PHP execution in the uploads directory to prevent execution of malicious files.
• Review and limit user roles, especially Shop Manager role access, to trusted users only.
• Monitor web server logs for suspicious activity related to feed generation or unusual PHP file access.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows Remote Code Execution (RCE) through the YML for Yandex Market WordPress plugin, which could lead to unauthorized access and control over the affected system.

Such unauthorized access and potential data breaches could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and system compromise.

However, the provided information does not explicitly describe the direct effects on compliance with these regulations.

Useful 0 Not Useful 0