Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-10175 PoC — WordPress plugin WP Links Page SQL注入漏洞

Source
https://github.com/MooseLoveti/WP-Links-Page-CVE-Report
Associated Vulnerability
Title:WordPress plugin WP Links Page SQL注入漏洞 (CVE-2025-10175)
Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin WP Links Page 4.9.6及之前版本存在SQL注入漏洞,该漏洞源于对用户提供的参数id清理和转义不足且SQL查询准备不充分,可能导致SQL注入攻击。
Description
Disclosure for CVE-2025-10175
Readme
# WP-Links-Page-CVE-Report
Disclosure for CVE-2025-10175

# CVE-2025-10175 - Vulnerability in WP Links Page

This repository discloses a vulnerability discovered in [WP Links Page <= 4.9.6](https://wordpress.org/plugins/wp-links-page/),WordPress plugin developed by Rico Macchi.

## 🛠 Affected Version

- **Product**: WP Links Page
- **Version**: v4.9.6
- **URL**: https://wordpress.org/plugins/wp-links-page/

---

## 🔒 Assigned CVE
| CVE ID            | Type                      | Component                | Impact                    |
|-------------------|---------------------------|--------------------------|---------------------------|
| CVE-2025-10175    | Authenticated (Subscriber+) SQL Injection                | wp-links-page/wp-links-page-free.php             | Unauthorized database access and data exfiltration.     |  

---

## 🧾 Detailed a Description

### CVE-2025-10175 — Unauthorized Database Access And Data Exfiltration

 - **Affected Component**: wplf_update_from_previous() ($wpdb->get_results("SELECT * FROM $table WHERE id = $id ..."))
 - **Attack Vector**: Authenticated (nonce required) AJAX-based Blind SQL Injection (id parameter)
 - **Trigger**: By sending a crafted request with a valid nonce to /wp-admin/admin-ajax.php, a time delay can be observed:
```
POST /wp-admin/admin-ajax.php
Content-Type: application/x-www-form-urlencoded

action=wplf_update_from_previous&nonce=<valid_nonce>&id=1 AND SLEEP(5)

```
 - **Impact**: Attackers can gradually extract database contents (user accounts, emails, configuration values) and obtain administrator password hashes, leading to privilege escalation. Disclosure of schema information and record counts weakens confidentiality and facilitates subsequent targeted attacks against the entire WordPress installation.
 - **PoC**:
  1. An authenticated user sends a POST request to /wp-admin/admin-ajax.php with a valid nonce.
  2. The id parameter is injected with a time-based payload such as 1 AND SLEEP(5).
  3. The server response is delayed, confirming the presence of Blind SQL Injection.

## ❓Reason for the vulnerability
 The id parameter is taken directly from $_REQUEST and only passed through sanitize_text_field(), which does not prevent SQL injection. The value is then concatenated directly into the SQL query without prepared statements or proper parameter binding.
 
 ### Proposed Fix:
 Use $wpdb->prepare()
## 🔍 Discoverer

**Name**: MooseLove  
**Role**: Independent security researcher / bug hunter  
**Contact**: Available upon request  

---

## 📚 References

- Product: https://wordpress.org/plugins/wp-links-page/

---

## ⚠️ License

This advisory is provided for public security awareness. Free to share with attribution.
File Snapshot

 [4.0K]  /data/pocs/e58e845ea418c6257a5e14b3213617b5a6e4c3db
└── [2.7K]  README.md

1 directory, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.