来源

关联漏洞

描述

Unauthenticated SQL Injection exploit for WordPress Likes and Dislikes Plugin ≤ 1.0.0

介绍

# CVE-2025-5287 PoC

Unauthenticated SQL Injection exploit for **WordPress Likes and Dislikes Plugin ≤ 1.0.0**

---

## 📖 Description

This Python script is a proof-of-concept (PoC) exploit for **CVE-2025-5287**, targeting a vulnerability in the **WordPress Likes and Dislikes Plugin ≤ 1.0.0**.  
The vulnerability allows unauthenticated attackers to perform time-based blind SQL injection via the `post` parameter in the `my_likes_dislikes_action` AJAX action, potentially leading to sensitive data exposure or further exploitation.

---

## 📌 Usage

### ▶️ Requirements:
- Python 3
- `requests` library

Install required libraries:

```bash
pip install requests
```

---

**Arguments:**
- `--url` / `-u` : Target WordPress site URL (with HTTP/HTTPS)
- `--sleep` / `-s` : Sleep time (seconds) for detecting SQL delay (default: 5)

---

### ▶️ Run the Exploit:

```bash
python3 CVE-2025-5287-poc.py --url http://target.com
```

Or with a custom sleep time:

```bash
python3 CVE-2025-5287-poc.py --url http://target.com --sleep 7
```

---

## 🔍 Finding Targets

You can use **Fofa** to discover potentially vulnerable WordPress installations running the plugin.

**Fofa Dork:**

```text
body="/wp-admin/admin-ajax.php"
```

Or to narrow down plugin-specific references:

```text
body="my_likes_dislikes_action"
```

Search on: [https://fofa.info](https://fofa.info)

---

## 👨‍💻 Author

**Md Shoriful Islam (RootHarpy)**

---

## 📜 Disclaimer

This tool is created for educational and authorized penetration testing purposes only. Unauthorized use of this tool against systems without explicit permission is illegal.

文件快照

 [4.0K]  /data/pocs/32d30953f9402b4ee5e82ba9b2ff850e8bbe6d3c
├── [1.8K]  CVE-2025-5287.py
└── [1.6K]  README.md

0 directories, 2 files

备注