关联漏洞
标题:
WordPress plugin Eventin 安全漏洞
(CVE-2025-47539)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Eventin 4.0.26及之前版本存在安全漏洞,该漏洞源于权限分配不当,可能导致权限提升。
描述
Eventin <= 4.0.26 - Missing Authorization to Unauthenticated Privilege Escalation
介绍
# 🚨 CVE-2025-47539 – WordPress Eventin Plugin Critical Exploit
## 🔥 Vulnerability Summary
The **Event Manager, Events Calendar, Tickets, Registrations – Eventin** plugin for WordPress is vulnerable to **unauthenticated privilege escalation** due to a missing authorization check in the `import_items()` function.
- 🔓 Affected Versions: `<= 4.0.26`
- 🆔 CVE: `CVE-2025-47539`
- 🚨 CVSS Score: `9.8 (Critical)`
- 📅 Public Disclosure: `May 7, 2025`
- 🔄 Last Updated: `May 15, 2025`
Unauthenticated attackers can craft a malicious request to the REST API and create a new user with `administrator` privileges without any user interaction.
---
## 💻 About the Script
This Python script is a standalone exploitation tool for CVE-2025-47539.
It will:
- Auto-generate a valid CSV payload file.
- Upload the file to the vulnerable endpoint.
- Automatically trigger the import process.
- Provide immediate feedback including full credentials of the created admin account.
> ⚠️ This script is intended for educational use and professional security assessments only.
---
## ⚙️ Usage
```bash
usage: a.py [-h] -u URL
Exploit for CVE-2025-47539 # By Nxploited (Khaled Alenazi)
options:
-h, --help show this help message and exit
-u, --url URL Target base URL (e.g. http://target.com)
```
---
## ✅ Expected Output
```bash
By:Nxploited (Khaled_alenazi) | NxploitBot@gmail.com
[+] Exploitation succeeded
[+] Response:
{"message":"Successfully imported speaker"}
[+] Exploited Account Details
Name : Nxploited (Khaled_alenazi)
Email : Nxploit@admin.sa
Username : NxPloted
Password : nxploit123
Role : administrator
Exploit: By: Nxploited (Khaled_alenazi)
Use this script for educational purposes only. I am not responsible for your actions.
```
---
## 📊 Impact
More than **10,000+** WordPress sites are confirmed to be vulnerable to this exploit.
All site administrators using Eventin **≤ 4.0.26** should **immediately update** to version `4.0.28` or later.
---
## ⚠️ Disclaimer
This tool is provided **for educational and authorized penetration testing** purposes only.
The creator is **not responsible for any misuse or damage** caused by this script.
---
## 👤
**By:** Nxploited ( Khaled_Alenazi )
📧 **Contact:** NxploitBot@gmail.com
文件快照
[4.0K] /data/pocs/5d6101e155d8241501bb723c8982d06c0be3287c
├── [4.0K] CVE-2025-47539.py
├── [1.1K] LICENSE
├── [2.3K] README.md
└── [ 9] requirements.txt
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。