CVE-2025-67985

Document Library Lite <= 1.1.7 - Unauthenticated Insecure Direct Object Reference

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.2.0
Patched in
6d
Time to patch

Description

The Document Library Lite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.1.7
PublishedDecember 15, 2025
Last updatedDecember 20, 2025
Affected plugindocument-library-lite

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2025-67985 (Document Library Lite) ## 1. Vulnerability Summary The **Document Library Lite** plugin (<= 1.1.7) contains an unauthenticated Insecure Direct Object Reference (IDOR) vulnerability. The plugin exposes an AJAX or REST API endpoint that retrieves documen…

Show full research plan

Exploitation Research Plan - CVE-2025-67985 (Document Library Lite)

1. Vulnerability Summary

The Document Library Lite plugin (<= 1.1.7) contains an unauthenticated Insecure Direct Object Reference (IDOR) vulnerability. The plugin exposes an AJAX or REST API endpoint that retrieves document or configuration data based on user-supplied identifiers (IDs) without verifying the user's authorization or the sensitivity of the object being requested. This allows unauthenticated attackers to extract potentially sensitive information, such as document metadata, author details, or plugin configuration settings.

2. Attack Vector Analysis

  • Endpoint: WordPress AJAX (/wp-admin/admin-ajax.php) or REST API (/wp-json/).
  • Vulnerable Action (Inferred): dll_get_table_data, dll_fetch_documents, or dll_get_document_details.
  • Action Hook: wp_ajax_nopriv_dll_get_table_data (or similar nopriv hook).
  • Payload Parameter: id, document_id, or post_id.
  • Authentication: None (Unauthenticated).
  • Preconditions: The plugin must be active. Exploitation of specific document IDs requires those IDs to exist (can be enumerated).

3. Code Flow (Inferred)

  1. Entry Point: An unauthenticated user sends a POST request to admin-ajax.php with a nopriv action associated with the Document Library Lite plugin.
  2. Handler Execution: The handler function (e.g., dll_get_document_info) is invoked.
  3. Parameter Extraction: The function retrieves an ID from $_POST['id'] or $_REQUEST['id'].
  4. Insecure Retrieval: The function calls get_post( $id ) or a similar database query to fetch document data without checking if the post is of the correct type (dl_document), if it is "Published", or if the current user has permission to view it.
  5. Information Leakage: The function returns the full object or sensitive metadata via wp_send_json_success().

4. Nonce Acquisition Strategy

Document Library Lite typically enqueues a JavaScript configuration object to handle AJAX requests for its document tables.

  1. Identify Shortcode: The plugin uses the [doc_library] or [document_library] shortcode.
  2. Create Trigger Page:
    wp post create --post_type=page --post_title="Document Library" --post_status=publish --post_content='[doc_library]'
    
  3. Extract Nonce via Browser:
    Navigate to the newly created page and use browser_eval to find the localized script data.
    • Possible Global Variable: dll_config, dll_data, or dll_params.
    • Execution Command: browser_eval("window.dll_config?.ajax_nonce || window.dll_params?.nonce")
  4. Bypass Check: If the wp_ajax_nopriv handler does not call check_ajax_referer or calls it with die=false and ignores the result, the nonce is unnecessary.

5. Exploitation Strategy

  1. Enumerate IDs: Use a loop to test common post IDs (e.g., 1-100).
  2. Craft Request:
    • URL: http://<target>/wp-admin/admin-ajax.php
    • Method: POST
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body: action=dll_get_table_data&id=<TARGET_ID>&nonce=<EXTRACTED_NONCE>
  3. Target Specific Data: Attempt to access IDs of posts that are in "Draft" or "Private" status, or IDs of users to see if user meta is leaked.

6. Test Data Setup

  1. Create Private Document:
    # Create a document that should NOT be public
    wp post create --post_type=dl_document --post_title="Secret Project" --post_status=private --post_content="Sensitive internal data."
    
  2. Add Metadata:
    # Add custom meta to the document
    wp post meta add <PRIVATE_DOC_ID> internal_note "Confidential admin key: 12345"
    
  3. Identify Document ID: Note the ID of the private document for the exploit attempt.

7. Expected Results

  • Successful Exploit: The server returns a 200 OK response with a JSON body containing the content or metadata of the private document (e.g., "post_content": "Sensitive internal data." or metadata values).
  • Vulnerability Confirmation: Accessing a private ID via the nopriv AJAX action that should only be accessible to logged-in admins.

8. Verification Steps

  1. Verify via CLI: Check if the ID accessed is indeed private.
    wp post get <ID> --field=post_status
    
  2. Check Sensitivity: Confirm the response from the http_request contains data not available in the public frontend table.

9. Alternative Approaches

  • REST API Discovery: Check for registered routes under wp-json/dll/v1/ or similar.
    # Enumerate REST routes
    http_request http://<target>/wp-json/
    
  • Parameter Variations: If id doesn't work, try doc_id, p, or post_id.
  • Metadata Leakage: Some plugins have specific actions like dll_get_meta. Test if these actions allow arbitrary meta key retrieval.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Document Library Lite plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) via its AJAX handlers. This allow unauthenticated attackers to retrieve sensitive document content and metadata from posts that are not publicly available, such as those in 'private' or 'draft' status.

Vulnerable Code

// Inferred from plugin architecture and research plan
// includes/class-dll-ajax.php or similar AJAX handler file

add_action( 'wp_ajax_nopriv_dll_get_table_data', array( $this, 'get_table_data' ) );

public function get_table_data() {
    // The plugin takes a user-supplied ID without sufficient validation
    $post_id = isset( $_POST['id'] ) ? intval( $_POST['id'] ) : 0;
    
    // Retrieves the post object directly
    $post = get_post( $post_id );
    
    // Vulnerability: No check to ensure the post status is 'publish' 
    // or that the current user has permission to view this specific post ID.
    wp_send_json_success( $post );
}

Security Fix

--- includes/class-dll-ajax.php
+++ includes/class-dll-ajax.php
@@ -10,5 +10,12 @@
 public function get_table_data() {
+    check_ajax_referer( 'dll_ajax_nonce', 'nonce' );
     $post_id = isset( $_POST['id'] ) ? intval( $_POST['id'] ) : 0;
     $post = get_post( $post_id );
-    wp_send_json_success( $post );
+    if ( $post && 'dl_document' === $post->post_type && 'publish' === $post->post_status ) {
+        wp_send_json_success( $post );
+    } else {
+        wp_send_json_error( array( 'message' => 'Unauthorized access.' ) );
+    }
 }

Exploit Outline

The exploit involves interacting with the WordPress AJAX endpoint to request data for sensitive post IDs. 1. Target Identification: Locate a page on the target site where the Document Library Lite shortcode ([doc_library]) is active to confirm the plugin is in use. 2. Nonce Retrieval (Optional): If the AJAX action requires a nonce, the attacker can extract it from the localized JavaScript objects (e.g., dll_config or dll_params) rendered on any page containing the document table. 3. Request Crafting: Send an unauthenticated POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to 'dll_get_table_data' (or the specific handler identified) and the 'id' parameter set to the target post ID. 4. Enumeration: Iteratively test common post IDs to identify internal documents, drafts, or private files. 5. Information Extraction: The server's JSON response will include the post_content and metadata of the requested ID, regardless of its visibility status.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.