Share
## https://sploitus.com/exploit?id=AF74796C-1859-51A4-86A0-92519011F148
# CVE-2025-39459
Real Estate 7 <= 3.5.2 - Unauthenticated Privilege Escalation
# 🧨 CVE-2025-39459 β€” Real Estate 7 (<= 3.5.2) Unauthenticated Privilege Escalation

## πŸ“Œ Overview
This repository contains a Python proof-of-concept tool for **CVE-2025-39459**, affecting the **Real Estate 7** WordPress theme in versions **<= 3.5.2**.

The vulnerability allows an **unauthenticated attacker** to register a new user and escalate privileges to **administrator**, resulting in full site compromise.

- **Product:** Real Estate 7 (WordPress theme)  
- **Vulnerability:** Unauthenticated Privilege Escalation  
- **Affected versions:** <= 3.5.2  
- **CVE:** CVE-2025-39459  
- **CVSS:** 9.8 (Critical)

 
**Telegram:** @Kxploit  
**Telegram Channel:** https://t.me/KNxploited  

---

## βš™οΈ How It Works (High Level)
The script:
1. Reads targets from a file (default: `list.txt`)
2. For each target, requests the registration page to extract a nonce (`ct_register_nonce`)
3. Submits a crafted request to `wp-admin/admin-ajax.php` (`action=ct_add_new_member`) with:
   - a randomized username/email
   - a fixed password (default: `xplpass`)
   - **administrator** role specified in the payload
4. If exploitation succeeds, the created credentials are saved to `success_results.txt`
5. Debug responses are written to `debug_responses/` for troubleshooting and validation

---

## 🧰 Features
- Multi-threaded scanning/exploitation (configurable threads)
- Clean Rich-based dashboard:
  - total/processed/success/fail stats
  - current target
  - recent results table
- Automatic nonce extraction
- Automatic credential generation (prefix: `Nxploited_####`)
- Output logging:
  - `success_results.txt` for successful hits
  - `debug_responses/` for captured server responses

---

## βœ… Requirements
- Python **3.9+** recommended
- Dependencies:
  - `requests`
  - `urllib3`
  - `rich`

Install:
```bash
pip install -r requirements.txt
```

If you don’t have `requirements.txt`, install directly:
```bash
pip install requests urllib3 rich
```

---

## πŸš€ Usage
### 1) Prepare targets
Create `list.txt` (one target per line):

```text
https://example.com
http://target.tld
target-without-scheme.com
```

The tool will auto-add `http://` if the scheme is missing.

### 2) Run
```bash
python3 CVE-2025-39459.py
```

You will be prompted for:
- Targets file name (default: `list.txt`)
- Number of threads (default: `10`)

---

## πŸ“ Output Files
- `success_results.txt`  
  Contains exploited targets and created credentials in the form:
  ```
  https://target | USER: Nxploited_1234 | PASS: xplpass | EMAIL: Nxploited_1234@gmail.com
  ```

- `debug_responses/`  
  Stores raw responses for each target (useful when nonce is missing, JSON parsing fails, or the theme isn’t present).

---

## πŸ› οΈ Configuration Notes
Key defaults inside the script:
- Password: `xplpass`
- Username prefix: `Nxploited`
- Threads default: `10`
- Requests:
  - `verify=False` (TLS verification disabled)
  - timeout ~ `16s`

If you need to tune speed/stability:
- Reduce threads for slower networks
- Increase timeout if targets respond slowly

---

## πŸ”Ž Vulnerability Details
### Real Estate 7 <= 3.5.2 β€” Unauthenticated Privilege Escalation
**Description**  
The Real Estate 7 WordPress theme is vulnerable to **Privilege Escalation** in all versions up to, and including, **3.5.2**. This makes it possible for **unauthenticated attackers** to elevate their privileges to that of an **administrator**.

- **CVE:** CVE-2025-39459  
- **CVSS:** 9.8 (Critical)  
- **By:** Nxploited  
- **Telegram:** @Kxploit  
- **Telegram Channel:** https://t.me/KNxploited  

---

## ⚠️ Disclaimer
This project is provided for **educational and authorized security testing** purposes only.  
You are responsible for complying with all applicable laws and regulations.  
Do not use this tool against systems you do not own or do not have explicit permission to test.  
The author(s) assume no liability for misuse or damage caused by this tool.