Share
## https://sploitus.com/exploit?id=021A7C40-40E4-5B2D-AC96-99297BA23047
## 📌 Overview
**CVE-2025-9209** is a critical information disclosure vulnerability in the **RestroPress** WordPress plugin (versions 3.0.0 – 3.1.9.2).  
It allows an unauthenticated attacker to retrieve private API keys, public keys, and JWT tokens for all WordPress users via the built‑in REST API endpoint `/wp-json/wp/v2/users`.  

With these credentials, an attacker can fully impersonate any user – including administrators – and gain complete control over the RestroPress e‑commerce data (customers, orders, menu items, coupons, etc.).  

**CVSS Score:** 8.8 (High)  
**CWE:** CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)  
**Patched version:** RestroPress 3.2.2 (March 2025)

---

## ⚙️ How the Exploit Works
1. Attacker sends a `GET` request to the public endpoint:  
   `https://target.com/wp-json/wp/v2/users?per_page=100`
2. The response contains the `_rp_api_user_private_key`, `_rp_api_user_public_key`, and `_rp_api_user_token_key` for each user.
3. Attacker extracts the **JWT token** and **public key**.
4. Using these, the attacker can authenticate to any RestroPress REST API endpoint (e.g., `/wp-json/rp/v1/customers`, `/wp-json/rp/v1/orders`) with the following headers:
   - `Authorization: Bearer `
   - `X-API-Key: `
   - `X-User-ID: `
5. Successful authentication grants full CRUD access to all RestroPress data.

---

## 🧪 Lab Setup (Test Environment)

| Component               | Details                                                                 |
|------------------------|-------------------------------------------------------------------------|
| **Target**             | Windows 11 VM running XAMPP + WordPress + RestroPress 3.1.9.2           |
| **Attacker**           | Kali Linux VM (Python3, curl)                                          |
| **Network**            | Host‑only adapter (192.168.100.0/24)                                   |

### Target Setup (Windows 11)
1. Install XAMPP, start Apache & MySQL.
2. Download WordPress, install in `C:\xampp\htdocs\wordpress`.
3. Install **RestroPress 3.1.9.2** (from WordPress plugin archive) and activate.
4. Generate API keys for a user (WordPress admin → Users → Profile → RestroPress API Keys → Generate New API Keys).
5. Ensure the REST API endpoint returns non‑empty fields:  
   `curl http://localhost/wordpress/wp-json/wp/v2/users?per_page=100`

### Attacker Setup (Kali)
```bash
git clone https://github.com/Nxploited/CVE-2025-9209.git
cd CVE-2025-9209
echo "192.168.100.10/wordpress" > targets.txt