Unauthenticated SQL Injection exploit for WordPress Likes and Dislikes Plugin ≤ 1.0.0
# CVE-2025-5287 PoC
Unauthenticated SQL Injection exploit for **WordPress Likes and Dislikes Plugin ≤ 1.0.0**
---
## 📖 Description
This Python script is a proof-of-concept (PoC) exploit for **CVE-2025-5287**, targeting a vulnerability in the **WordPress Likes and Dislikes Plugin ≤ 1.0.0**.
The vulnerability allows unauthenticated attackers to perform time-based blind SQL injection via the `post` parameter in the `my_likes_dislikes_action` AJAX action, potentially leading to sensitive data exposure or further exploitation.
---
## 📌 Usage
### ▶️ Requirements:
- Python 3
- `requests` library
Install required libraries:
```bash
pip install requests
```
---
**Arguments:**
- `--url` / `-u` : Target WordPress site URL (with HTTP/HTTPS)
- `--sleep` / `-s` : Sleep time (seconds) for detecting SQL delay (default: 5)
---
### ▶️ Run the Exploit:
```bash
python3 CVE-2025-5287-poc.py --url http://target.com
```
Or with a custom sleep time:
```bash
python3 CVE-2025-5287-poc.py --url http://target.com --sleep 7
```
---
## 🔍 Finding Targets
You can use **Fofa** to discover potentially vulnerable WordPress installations running the plugin.
**Fofa Dork:**
```text
body="/wp-admin/admin-ajax.php"
```
Or to narrow down plugin-specific references:
```text
body="my_likes_dislikes_action"
```
Search on: [https://fofa.info](https://fofa.info)
---
## 👨💻 Author
**Md Shoriful Islam (RootHarpy)**
---
## 📜 Disclaimer
This tool is created for educational and authorized penetration testing purposes only. Unauthorized use of this tool against systems without explicit permission is illegal.
[4.0K] /data/pocs/32d30953f9402b4ee5e82ba9b2ff850e8bbe6d3c
├── [1.8K] CVE-2025-5287.py
└── [1.6K] README.md
0 directories, 2 files