关联漏洞
标题:
WordPress plugin Opal Estate Pro 安全漏洞
(CVE-2025-6934)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Opal Estate Pro 1.7.5及之前版本存在安全漏洞,该漏洞源于on_regiser_user函数缺少角色限制,可能导致权限提升。
描述
exploit
介绍
<p align="center">
<img src="banner.png" alt="CVE-2025-6934 Banner"/>
</p>
# CVE-2025-6934 > unauthenticated privilege escalation in opal estate pro
## Description
CVE-2025-6934 is a critical vulnerability in the **Opal Estate Pro** WordPress plugin (≤ v1.7.5).
This bug allows an **unauthenticated attacker** to create a new administrator account by sending a crafted request to:
```
/wp-admin/admin-ajax.php?action=opalestate\_register\_form
````
The root cause lies in the **nonce parsing (`opalestate-register-nonce`)** during the registration process, which is not properly validated.
This flaw allows attackers to bypass normal registration and directly create a new account with **administrator privileges**.
---
## Impact
- Remote unauthenticated attackers can create arbitrary admin accounts.
- Full access to the WordPress dashboard, plugins, themes, file manager, and potentially remote code execution (via malicious plugin upload).
- Fast escalation from **unauthenticated > full compromise**.
---
## Usage
Run the exploit tool with Python 3:
```bash
python3 exploit.py
````
You will be prompted for:
* `username` > New admin account username
* `password` > New admin account password
* `email` > Email address for the new account
* Target mode:
* **Single target** > Enter one target URL
* **Mass target** > Provide a file containing multiple target URLs
---
## Output
If successful, results are saved into `save.txt` in the format:
```
URL: https://example.com
USERNAME: admin123
PASSWORD: passw0rd!
EMAIL: attacker@example.com
ROLE: administrator
```
---
## Mitigation
* Update the **Opal Estate Pro** plugin to the latest patched version (> v1.7.5).
* Restrict anonymous access to `/wp-admin/admin-ajax.php` if possible.
* Audit WordPress user accounts after patching to detect unauthorized admins.
文件快照
[4.0K] /data/pocs/435ed46f4db5cecd4395f73dbbc22717e76b1b77
├── [ 80K] banner.png
├── [5.6K] exploit.py
├── [1.8K] README.md
└── [ 41] requirements.txt
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。