#Exploit Name: Wordpress Levo-Slideshow 2.3 Shell Upload by Unprivileged
user
#Exploit Date: 5/6/2016
#Author: Aaditya Purani
#Author Blog: https://aadityapurani.com
#Vendor: https://wordpress.org/plugins/wp-levoslideshow
#Version: 2.3
#Tested on: Wordpress 4.5.2

Hi This is Aaditya Purani, Let's have look at 0-day Exploit

Plugin Description:

WP- Levoslideshow is a wordpress Plugin is a plugin where users can display
slideshow multiple instance in their post which different categories &
Images.

PoC ( Proof Of Concept ):

1) Login as an unprivileged user, who was no privilege of even uploading a
plugin

2) Go to http://site.com/wp-admin/admin.php?page=levoslideshow_manage

3) If any Gallery exists than don't create and go to "Category Management",
Click on "Add New", Upload any .png / ,jpg image from your PC and intercept
the request

4) After Intercepting the request while upload, Send request to Repeater .
And change filename = image.png.php  and in $POST image data add your PHP
Backdoor between image chunk . It should look like this

http://postimg.org/image/ih4lwyad7/

5) Forward the request and go to
site.com/wp-content/uploads/levoslideshow/[ALBUM_NUMBER]_uploadfolder/big/[YourShell]
to access your shell.

That's it.
Follow: https://twitter.com/aaditya_purani
Website: https://aaditya.com