CVE-2025-14124

HIGH NUCLEI

Team WordPress <5.0.11 - SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-14124. PoCs published by hyunchiya. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a Go-based exploit for CVE-2025-14124, an unauthenticated time-based blind SQL injection vulnerability in the WordPress Team Plugin. The exploit automates detection, confirmation, and data extraction via malformed search parameters in AJAX requests.

Description

The Team WordPress plugin before 5.0.11 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

Exploits (1)

nomisec WORKING POC

by hyunchiya · poc

https://github.com/hyunchiya/CVE-2025-14124

View Code ZIP pw:eip

This repository contains a Go-based exploit for CVE-2025-14124, an unauthenticated time-based blind SQL injection vulnerability in the WordPress Team Plugin. The exploit automates detection, confirmation, and data extraction via malformed search parameters in AJAX requests.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: WordPress Team Plugin < 5.0.11

No auth needed

Prerequisites: Target running WordPress with vulnerable Team Plugin · Page containing [tlpteam] shortcode · Valid nonce and scID extraction

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Team WordPress Plugin (TLP Team) <= 5.0.9 - SQL Injection

HIGHVERIFIEDby neosmith1,0x_Akoko

Shodan: http.html:"tlp-team"

FOFA: body="tlp-team" || body="rt-team-container"

References (1)

Core 1

Core References

Third Party Advisory exploit vdb-entry technical-description

https://wpscan.com/vulnerability/fdd19027-b70e-45a4-882b-77ab1819af91/

Scores

CVSS v3 8.6

EPSS 0.0736

EPSS Percentile 91.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

Status published

Products (1)

Unknown/Team < 5.0.11

Published Jan 05, 2026

Tracked Since Feb 18, 2026