CVE-2025-6758 PoC — Real Spaces - WordPress Properties Directory Theme <= 3.6 - Unauthenticated Privilege Escalation to Administrator via 'i

Source

Associated Vulnerability

Description

Real Spaces - WordPress Properties Directory Theme <= 3.6 - Unauthenticated Privilege Escalation to Administrator

Readme

## Real Spaces - WordPress Properties Directory Theme ≤ 3.6  
### Unauthenticated Privilege Escalation to Administrator via `imic_agent_register`

---

## 📝 Description

**CVE-2025-6758**  
**CVSS Score:** 9.8 (Critical)

The **Real Spaces - WordPress Properties Directory Theme** for WordPress is vulnerable to privilege escalation via the `imic_agent_register` function in all versions up to and including 3.6.  
This vulnerability arises from insufficient restrictions on role assignment during registration, allowing unauthenticated attackers to arbitrarily specify their role, including `Administrator`, when registering a new user.

This critical flaw enables remote attackers to gain full administrative access to WordPress sites running vulnerable versions of the theme, jeopardizing the integrity and security of the affected system.

---

## ⚡ Script Overview

**CVE-2025-6758.py** is a professional exploit and automation script written in Python to demonstrate and leverage this vulnerability.  
The script is built for penetration testers and security researchers, providing automated discovery, nonce extraction, and exploitation in a highly reliable, modular, and silent manner.

### Key Features

## 📚 Optional Arguments Table

| Argument            | Default Value            | Description                                                            |
|---------------------|-------------------------|------------------------------------------------------------------------|
| `--username`        | Nxploited               | Set custom username for registration                                   |
| `--password`        | 123456789               | Set custom password for registration                                   |
| `--email`           | NxploitBot@gmail.com    | Set custom email address                                               |
| `--position`        | Nxploitedadmin          | Set custom position value                                              |
| `--role`            | administrator           | Set registration role (Administrator recommended for exploitation)      |
| `--max-pages`       | 30                      | Maximum pages to crawl for nonce discovery                             |
| `--max-depth`       | 2                       | Maximum link crawl depth                                               |
| `--scan-common-paths` | *None*                 | Scan additional registration/plugin/theme paths for nonce (flag only)   |
| `--ajax-path`       | wp-admin/admin-ajax.php | Custom AJAX POST endpoint                                              |
| `--verify-ssl`      | *None*                  | Enable SSL certificate verification (flag only)                        |
| `--cookie-save`     | *None*                  | Path to save session cookies (pickle format)                           |
| `--save-json`       | *None*                  | Path to save nonce discovery results as JSON                           |
| `--debug`           | *None*                  | Enable debug logging and print HTML/JS snippets (flag only)            |



---

## 🚀 Usage Instructions

```bash
python3 CVE-2025-6758.py -u http://TARGET/wordpress/
```

### Optional Arguments

- `--username`      Set custom username (default: Nxploited)
- `--password`      Set custom password (default: 123456789)
- `--email`         Set custom email (default: NxploitBot@gmail.com)
- `--position`      Set custom position (default: Nxploitedadmin)
- `--role`          Set user role (default: administrator)
- `--max-pages`     Maximum pages to crawl for nonce discovery (default: 30)
- `--max-depth`     Maximum link crawl depth (default: 2)
- `--scan-common-paths`  Scan additional registration/plugin/theme paths
- `--ajax-path`     Custom AJAX POST endpoint (default: wp-admin/admin-ajax.php)
- `--verify-ssl`    Enable SSL certificate verification
- `--cookie-save`   Path to save session cookies
- `--save-json`     Path to save nonce discovery results as JSON
- `--debug`         Enable debug logging and print HTML/JS snippets

### Example

```bash
python3 CVE-2025-6758.py -u http://192.168.100.74:888/wordpress/ --username AdminX --password MySecretPass123 --scan-common-paths --debug
```

---

## 🎯 Output

Upon successful exploitation, the script will output:

```
[+] Exploitation successful.
[+] Server message: You're successfully register
[+] Username: Nxploited
[+] Password: 123456789
[+] Email: NxploitBot@gmail.com
```

If exploitation fails or the nonce is not found, descriptive error messages and hints for further troubleshooting will be shown.

---

## ⚠️ Disclaimer

This script is intended for **educational, research, and authorized penetration testing purposes only**.  
Any unauthorized use against websites or systems without explicit written permission from the owner is strictly prohibited and may be illegal.  
The author assumes no responsibility for misuse or damages resulting from use of this script.

---

## 🌐 Socials

[![TikTok](https://img.shields.io/badge/TikTok-%23000000.svg?logo=TikTok&logoColor=white)](https://tiktok.com/@nxploit)  
[![X](https://img.shields.io/badge/X-black.svg?logo=X&logoColor=white)](https://x.com/Nxploited)  
[![YouTube](https://img.shields.io/badge/YouTube-%23FF0000.svg?logo=YouTube&logoColor=white)](https://youtube.com/@Nxploited)  
📧 **Email:** [NxploitBot@gmail.com](mailto:NxploitBot@gmail.com)  
📨 **Telegram:** [@Kxploit](https://t.me/Kxploit)  
📡 **Telegram Channel:** [@KNxploited](https://t.me/KNxploited)

---

*By: Nxploited ( Khaled Alenazi )*

File Snapshot

 [4.0K]  /data/pocs/e352451a75972f0eb68a79726a3a0445532fdde9
├── [ 12K]  CVE-2025-6758.py
├── [1.5K]  LICENSE
├── [5.5K]  README.md
└── [  24]  requirements.txt

1 directory, 4 files

Remarks