关联漏洞
标题:WordPress plugin Real Spaces 安全漏洞 (CVE-2025-6758)Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Real Spaces 3.6及之前版本存在安全漏洞,该漏洞源于注册角色限制不足,可能导致未经验证的攻击者提升权限至管理员。
Description
Real Spaces - WordPress Properties Directory Theme <= 3.6 - Unauthenticated Privilege Escalation to Administrator
介绍
## Real Spaces - WordPress Properties Directory Theme ≤ 3.6
### Unauthenticated Privilege Escalation to Administrator via `imic_agent_register`
---
## 📝 Description
**CVE-2025-6758**
**CVSS Score:** 9.8 (Critical)
The **Real Spaces - WordPress Properties Directory Theme** for WordPress is vulnerable to privilege escalation via the `imic_agent_register` function in all versions up to and including 3.6.
This vulnerability arises from insufficient restrictions on role assignment during registration, allowing unauthenticated attackers to arbitrarily specify their role, including `Administrator`, when registering a new user.
This critical flaw enables remote attackers to gain full administrative access to WordPress sites running vulnerable versions of the theme, jeopardizing the integrity and security of the affected system.
---
## ⚡ Script Overview
**CVE-2025-6758.py** is a professional exploit and automation script written in Python to demonstrate and leverage this vulnerability.
The script is built for penetration testers and security researchers, providing automated discovery, nonce extraction, and exploitation in a highly reliable, modular, and silent manner.
### Key Features
## 📚 Optional Arguments Table
| Argument | Default Value | Description |
|---------------------|-------------------------|------------------------------------------------------------------------|
| `--username` | Nxploited | Set custom username for registration |
| `--password` | 123456789 | Set custom password for registration |
| `--email` | NxploitBot@gmail.com | Set custom email address |
| `--position` | Nxploitedadmin | Set custom position value |
| `--role` | administrator | Set registration role (Administrator recommended for exploitation) |
| `--max-pages` | 30 | Maximum pages to crawl for nonce discovery |
| `--max-depth` | 2 | Maximum link crawl depth |
| `--scan-common-paths` | *None* | Scan additional registration/plugin/theme paths for nonce (flag only) |
| `--ajax-path` | wp-admin/admin-ajax.php | Custom AJAX POST endpoint |
| `--verify-ssl` | *None* | Enable SSL certificate verification (flag only) |
| `--cookie-save` | *None* | Path to save session cookies (pickle format) |
| `--save-json` | *None* | Path to save nonce discovery results as JSON |
| `--debug` | *None* | Enable debug logging and print HTML/JS snippets (flag only) |
---
## 🚀 Usage Instructions
```bash
python3 CVE-2025-6758.py -u http://TARGET/wordpress/
```
### Optional Arguments
- `--username` Set custom username (default: Nxploited)
- `--password` Set custom password (default: 123456789)
- `--email` Set custom email (default: NxploitBot@gmail.com)
- `--position` Set custom position (default: Nxploitedadmin)
- `--role` Set user role (default: administrator)
- `--max-pages` Maximum pages to crawl for nonce discovery (default: 30)
- `--max-depth` Maximum link crawl depth (default: 2)
- `--scan-common-paths` Scan additional registration/plugin/theme paths
- `--ajax-path` Custom AJAX POST endpoint (default: wp-admin/admin-ajax.php)
- `--verify-ssl` Enable SSL certificate verification
- `--cookie-save` Path to save session cookies
- `--save-json` Path to save nonce discovery results as JSON
- `--debug` Enable debug logging and print HTML/JS snippets
### Example
```bash
python3 CVE-2025-6758.py -u http://192.168.100.74:888/wordpress/ --username AdminX --password MySecretPass123 --scan-common-paths --debug
```
---
## 🎯 Output
Upon successful exploitation, the script will output:
```
[+] Exploitation successful.
[+] Server message: You're successfully register
[+] Username: Nxploited
[+] Password: 123456789
[+] Email: NxploitBot@gmail.com
```
If exploitation fails or the nonce is not found, descriptive error messages and hints for further troubleshooting will be shown.
---
## ⚠️ Disclaimer
This script is intended for **educational, research, and authorized penetration testing purposes only**.
Any unauthorized use against websites or systems without explicit written permission from the owner is strictly prohibited and may be illegal.
The author assumes no responsibility for misuse or damages resulting from use of this script.
---
## 🌐 Socials
[](https://tiktok.com/@nxploit)
[](https://x.com/Nxploited)
[](https://youtube.com/@Nxploited)
📧 **Email:** [NxploitBot@gmail.com](mailto:NxploitBot@gmail.com)
📨 **Telegram:** [@Kxploit](https://t.me/Kxploit)
📡 **Telegram Channel:** [@KNxploited](https://t.me/KNxploited)
---
*By: Nxploited ( Khaled Alenazi )*
文件快照
[4.0K] /data/pocs/e352451a75972f0eb68a79726a3a0445532fdde9
├── [ 12K] CVE-2025-6758.py
├── [1.5K] LICENSE
├── [5.5K] README.md
└── [ 24] requirements.txt
1 directory, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。