Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-34077 PoC — WordPress Pie Register Plugin ≤ 3.7.1.4 Authentication Bypass RCE

Source
https://github.com/MrjHaxcore/CVE-2025-34077
Associated Vulnerability
Title:WordPress Pie Register Plugin ≤ 3.7.1.4 Authentication Bypass RCE (CVE-2025-34077)
Description:An authentication bypass vulnerability exists in the WordPress Pie Register plugin ≤ 3.7.1.4 that allows unauthenticated attackers to impersonate arbitrary users by submitting a crafted POST request to the login endpoint. By setting social_site=true and manipulating the user_id_social_site parameter, an attacker can generate a valid WordPress session cookie for any user ID, including administrators. Once authenticated, the attacker may exploit plugin upload functionality to install a malicious plugin containing arbitrary PHP code, resulting in remote code execution on the underlying server.
Description
 WordPress Pie Register ≤ 3.7.1.4 - Admin Privilege Escalation (Unauthenticated)
Readme
# CVE-2025-34077 — WordPress Pie Register ≤ 3.7.1.4 - Admin Privilege Escalation (Unauthenticated)

![Exploit Status](https://img.shields.io/badge/exploit-working-brightgreen)
![CVE Badge](https://img.shields.io/badge/CVE-2025--34077-red)
![Python](https://img.shields.io/badge/language-python-blue)

## 💀 Author
**Mrj Haxcore** 

## 🧠 Vulnerability Summary

The `Pie Register` plugin for WordPress (version ≤ 3.7.1.4) exposes an unauthenticated endpoint that allows an attacker to **hijack admin sessions** simply by POSTing a specific payload.

Exploitation results in **stealing the session cookies of user ID 1** (usually `admin`) without needing any login credentials.

---

## 📦 Affected Software

- Plugin Name: **Pie Register**
- Version: **<= 3.7.1.4**
- Plugin Slug: `pie-register`
- [Plugin Page](https://wordpress.org/plugins/pie-register/)
- [Vulnerable Download Link](https://downloads.wordpress.org/plugin/pie-register.3.7.1.0.zip)

---

### 📬 Vulnerable Parameter:

user_id_social_site=1
When posted to the root URL (`/`), this parameter causes the plugin to authenticate the attacker as the user with ID `1` (typically the `admin`), and issue valid session cookies.

---

### 🔧 Requirements
- Python 3.x
- `requests`, `beautifulsoup4` (optional, for cookie parsing)

### ▶️ Run the Exploit

```bash
python3 pie.py http://target.site

---
Output
[*] Sending payload to hijack admin session...

[+] Successfully hijacked cookies for user_id=1 (admin):
    wordpress_sec_xxxxxx = <cookie_value>
    wordpress_logged_in_xxxxxx = <cookie_value>

[!] Use these cookies in your browser or tools like curl or Burp to act as admin.
File Snapshot

 [4.0K]  /data/pocs/a7646e348fd17a4daa99259157c2221311889b6a
├── [2.4K]  pie.py
└── [1.6K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →