关联漏洞
标题:
WordPress plugin WP Links Page SQL注入漏洞
(CVE-2025-10175)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin WP Links Page 4.9.6及之前版本存在SQL注入漏洞,该漏洞源于对用户提供的参数id清理和转义不足且SQL查询准备不充分,可能导致SQL注入攻击。
描述
Disclosure for CVE-2025-10175
介绍
# WP-Links-Page-CVE-Report
Disclosure for CVE-2025-10175
# CVE-2025-10175 - Vulnerability in WP Links Page
This repository discloses a vulnerability discovered in [WP Links Page <= 4.9.6](https://wordpress.org/plugins/wp-links-page/),WordPress plugin developed by Rico Macchi.
## 🛠 Affected Version
- **Product**: WP Links Page
- **Version**: v4.9.6
- **URL**: https://wordpress.org/plugins/wp-links-page/
---
## 🔒 Assigned CVE
| CVE ID | Type | Component | Impact |
|-------------------|---------------------------|--------------------------|---------------------------|
| CVE-2025-10175 | Authenticated (Subscriber+) SQL Injection | wp-links-page/wp-links-page-free.php | Unauthorized database access and data exfiltration. |
---
## 🧾 Detailed a Description
### CVE-2025-10175 — Unauthorized Database Access And Data Exfiltration
- **Affected Component**: wplf_update_from_previous() ($wpdb->get_results("SELECT * FROM $table WHERE id = $id ..."))
- **Attack Vector**: Authenticated (nonce required) AJAX-based Blind SQL Injection (id parameter)
- **Trigger**: By sending a crafted request with a valid nonce to /wp-admin/admin-ajax.php, a time delay can be observed:
```
POST /wp-admin/admin-ajax.php
Content-Type: application/x-www-form-urlencoded
action=wplf_update_from_previous&nonce=<valid_nonce>&id=1 AND SLEEP(5)
```
- **Impact**: Attackers can gradually extract database contents (user accounts, emails, configuration values) and obtain administrator password hashes, leading to privilege escalation. Disclosure of schema information and record counts weakens confidentiality and facilitates subsequent targeted attacks against the entire WordPress installation.
- **PoC**:
1. An authenticated user sends a POST request to /wp-admin/admin-ajax.php with a valid nonce.
2. The id parameter is injected with a time-based payload such as 1 AND SLEEP(5).
3. The server response is delayed, confirming the presence of Blind SQL Injection.
## ❓Reason for the vulnerability
The id parameter is taken directly from $_REQUEST and only passed through sanitize_text_field(), which does not prevent SQL injection. The value is then concatenated directly into the SQL query without prepared statements or proper parameter binding.
### Proposed Fix:
Use $wpdb->prepare()
## 🔍 Discoverer
**Name**: MooseLove
**Role**: Independent security researcher / bug hunter
**Contact**: Available upon request
---
## 📚 References
- Product: https://wordpress.org/plugins/wp-links-page/
---
## ⚠️ License
This advisory is provided for public security awareness. Free to share with attribution.
文件快照
[4.0K] /data/pocs/e58e845ea418c6257a5e14b3213617b5a6e4c3db
└── [2.7K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。