CVE-2025-2011

HIGH EXPLOITED NUCLEI LAB

WordPress Depicter Plugin SQL Injection (CVE-2025-2011)

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2025-2011 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 5 public exploits from researchers including Andrew Long, datagoboom, zsy107u, including a Metasploit module auxiliary/gather/wp_depicter_sqli_cve_2025_2011. A Nuclei detection template is also available.

AI-analyzed exploit summary This Python script exploits an SQL injection vulnerability in the WordPress Depicter Plugin (CVE-2025-2011) via the 's' parameter in admin-ajax.php. It includes functionality to check vulnerability status, extract admin user details, and execute custom SQL queries using error-based SQL injection techniques.

Description

The Slider & Popup Builder by Depicter plugin for WordPress is vulnerable to generic SQL Injection via the ‘s' parameter in all versions up to, and including, 3.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Exploits (5)

exploitdb WORKING POC
by Andrew Long · pythonwebappsmultiple
https://www.exploit-db.com/exploits/52285

This Python script exploits an SQL injection vulnerability in the WordPress Depicter Plugin (CVE-2025-2011) via the 's' parameter in admin-ajax.php. It includes functionality to check vulnerability status, extract admin user details, and execute custom SQL queries using error-based SQL injection techniques.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress Depicter Plugin <= 3.6.1
No auth needed
Prerequisites: Target must have the Depicter Plugin installed and vulnerable version (<= 3.6.1) · Target must have WordPress installed · Network access to the target's admin-ajax.php endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by datagoboom · infoleak
https://github.com/datagoboom/CVE-2025-2011

This repository contains a functional proof-of-concept for CVE-2025-2011, a SQL injection vulnerability in the Depicter Slider & Popup Builder WordPress plugin (versions < 3.6.2). The PoC includes a Docker-based test environment and a Python script to exploit the vulnerability via crafted AJAX requests.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Depicter Slider & Popup Builder WordPress plugin < 3.6.2
No auth needed
Prerequisites: Docker · Docker Compose · Python 3.x · WordPress installation
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by zsy107u · remote
https://github.com/zsy107u/CVE-2025-2011-poc

This is a functional SQL injection exploit for the WordPress Depicter plugin, leveraging a union-based SQLi vulnerability in the admin-ajax.php endpoint. It automates database enumeration, table/column extraction, and data retrieval.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress Depicter Plugin 3.6.1
No auth needed
Prerequisites: Target must have the vulnerable Depicter plugin installed · WordPress admin-ajax.php must be accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by X3RX3SSec · infoleak
https://github.com/X3RX3SSec/CVE-2025-2011

This is a functional PoC for CVE-2025-2011, an SQL injection vulnerability in the Slider & Popup Builder by Depicter WordPress plugin. It includes two payloads to extract bcrypt hashes from the wp_users table and optionally cracks them using Hashcat.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Slider & Popup Builder by Depicter plugin for WordPress (versions up to and including 3.6.1)
No auth needed
Prerequisites: Python 3.8+ · requests library · colorama library · target WordPress site with vulnerable plugin
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by Muhamad Visat, Valentin Lobstein · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/wp_depicter_sqli_cve_2025_2011.rb

This Metasploit module exploits an unauthenticated SQL injection vulnerability in the WordPress Depicter plugin via the 's' parameter in admin-ajax.php. It retrieves user credentials by injecting a UNION-based SQL payload.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress Depicter Plugin <= 3.6.1
No auth needed
Prerequisites: Target running WordPress with Depicter plugin <= 3.6.1 · Access to admin-ajax.php endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Slider & Popup Builder by Depicter <= 3.6.1 - Unauthenticated SQL Injection
HIGHVERIFIEDby iamnoooob,rootxharsh,pdresearch

References (9)

Core 9
Core References

Scores

CVSS v3 7.5
EPSS 0.4752
EPSS Percentile 97.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Lab Environment

COMMUNITY
Community Lab
docker pull wordpress:latest
+1 more repos

Details

VulnCheck KEV 2025-05-05
CWE
CWE-89
Status published
Products (2)
averta/Depicter — Popup & Slider Builder < 3.6.1
averta/Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel < 3.6.1
Published May 06, 2025
Tracked Since Feb 18, 2026