what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 100 RSS Feed

Files

WordPress Username Enumeration
Posted Mar 3, 2017
Authored by Dctor

Simple PHP proof of concept exploit that demonstrates username enumeration in WordPress versions prior to 4.7.1.

tags | exploit, php, proof of concept
advisories | CVE-2017-5487
SHA-256 | 6330d946fbcd5422cc1b6d65d1436107000d78c749ccd76f058efcd3d7c00f83

Related Files

WordPress Hash Form 1.1.0 Remote Code Execution
Posted Jun 6, 2024
Authored by Valentin Lobstein, Francesco Carlucci | Site metasploit.com

The Hash Form Drag and Drop Form Builder plugin for WordPress suffers from a critical vulnerability due to missing file type validation in the file_upload_action function. This vulnerability exists in all versions up to and including 1.1.0. Unauthenticated attackers can exploit this flaw to upload arbitrary files, including PHP scripts, to the server, potentially allowing for remote code execution on the affected WordPress site. This Metasploit module targets multiple platforms by adapting payload delivery and execution based on the server environment.

tags | exploit, remote, arbitrary, php, code execution
advisories | CVE-2024-5084
SHA-256 | 64b2193d74612e99562b23a4a36b832a46e526be92d5e77374181caa141143e0
WordPress Bricks Builder Theme 1.9.6 Remote Code Execution
Posted Mar 27, 2024
Authored by Valentin Lobstein, Calvin Alkan | Site metasploit.com

This Metasploit module exploits an unauthenticated remote code execution vulnerability in the Bricks Builder Theme versions 1.9.6 and below for WordPress. The vulnerability allows attackers to execute arbitrary PHP code by leveraging a nonce leakage to bypass authentication and exploit the eval() function usage within the theme. Successful exploitation allows for full control of the affected WordPress site. It is recommended to upgrade to version 1.9.6.1 or higher.

tags | exploit, remote, arbitrary, php, code execution
advisories | CVE-2024-25600
SHA-256 | 5a32fb78bdb52593a7f339d7321ec50570d8dc8998da3f4da0c0eaf663f73ac5
WordPress Backup Migration 1.3.7 Remote Command Execution
Posted Jan 18, 2024
Authored by jheysel-r7, Valentin Lobstein, Nex Team | Site metasploit.com

This Metasploit module exploits an unauthenticated remote command execution vulnerability in WordPress Backup Migration plugin versions 1.3.7 and below. The vulnerability is exploitable through the Content-Dir header which is sent to the /wp-content/plugins/backup-backup/includes/backup-heart.php endpoint. The exploit makes use of a neat technique called PHP Filter Chaining which allows an attacker to prepend bytes to a string by continuously chaining character encoding conversions. This allows an attacker to prepend a PHP payload to a string which gets evaluated by a require statement, which results in command execution.

tags | exploit, remote, php
advisories | CVE-2023-6553
SHA-256 | 1feecca12306422ebe993c3821d87be77ad3056e719f9dcbae7c033f156e447f
WordPress Royal Elementor Addons And Templates Remote Shell Upload
Posted Nov 29, 2023
Authored by Valentin Lobstein, Fioravante Souza | Site metasploit.com

WordPress Royal Elementor Addons and Templates plugin versions prior to 1.3.79 suffer from a remote shell upload vulnerability.

tags | exploit, remote, shell
advisories | CVE-2023-5360
SHA-256 | 514871b05ceb1ed65e97c420f4e9a96957ce2443102fd59ba2de86664048ea50
WordPress File Manager Advanced Shortcode 2.3.2 Remote Code Execution
Posted Jul 25, 2023
Authored by h00die-gr3y, Mateus Machado Tesser | Site metasploit.com

WordPress File Manager Advanced Shortcode plugin does not adequately prevent uploading files with disallowed MIME types when using the shortcode. This leads to remote code execution in cases where the allowed MIME type list does not include PHP files. In the worst case, this is available to unauthenticated users, but it also works in an authenticated configuration. Versions 2.3.2 and below are affected. To install the Shortcode plugin File Manager Advanced version 5.0.5 or lower is required to keep the configuration vulnerable. Any user privileges can exploit this vulnerability which results in access to the underlying operating system with the same privileges under which the Wordpress web services run.

tags | exploit, remote, web, php, code execution
advisories | CVE-2023-2068
SHA-256 | 70276f13c7da05f57a272fbb51cb03ce6c129189c7bb524b4612cc20be063403
WordPress Elementor 3.6.2 Shell Upload
Posted Oct 4, 2022
Authored by h00die, Ramuel Gall, AkuCyberSec | Site metasploit.com

WordPress Elementor plugin versions 3.6.0 through 3.6.2 suffer from a remote shell upload vulnerability. This is achieved by sending a request to install Elementor Pro from a user supplied zip file. Any user with Subscriber or more permissions is able to execute this.

tags | exploit, remote, shell
advisories | CVE-2022-1329
SHA-256 | 0537a61d8c7e168ee93f25ae88cc62b13741cb186c02291ebc2f946f834cd81f
WordPress Catch Themes Demo Import Shell Upload
Posted Jan 5, 2022
Authored by h00die, Thinkland Security Team, Ron Jost | Site metasploit.com

WordPress Catch Themes Demo Import plugin versions prior to 1.8 suffer from a remote shell upload vulnerability.

tags | exploit, remote, shell
advisories | CVE-2021-39352
SHA-256 | 999305fb949e529f94cd8317c66ad4e660226106492dac5ff2bb180f31a8f911
WordPress Popular Posts 5.3.2 Remote Code Execution
Posted Dec 20, 2021
Authored by h00die, Simone Cristofaro, Jerome Bruandet | Site metasploit.com

This exploit requires Metasploit to have a FQDN and the ability to run a payload web server on port 80, 443, or 8080. The FQDN must also not resolve to a reserved address (192/172/127/10). The server must also respond to a HEAD request for the payload, prior to getting a GET request. This exploit leverages an authenticated improper input validation in WordPress plugin Popular Posts versions 5.3.2 and below. The exploit chain is rather complicated. Authentication is required and gd for PHP is required on the server. Then the Popular Post plugin is reconfigured to allow for an arbitrary URL for the post image in the widget. A post is made, then requests are sent to the post to make it more popular than the previous #1 by 5. Once the post hits the top 5, and after a 60 second server cache refresh (the exploit waits 90 seconds), the homepage widget is loaded which triggers the plugin to download the payload from the server. The payload has a GIF header, and a double extension (.gif.php) allowing for arbitrary PHP code to be executed.

tags | exploit, web, arbitrary, php
advisories | CVE-2021-42362
SHA-256 | 90db5fa8de8fdf34a913230d5320fbeba171c2aac53e75371d7b3d5919bde065
WordPress Pie Register 3.7.1.4 Authentication Bypass / Remote Code Execution
Posted Nov 2, 2021
Authored by h00die, Lotfi13-DZ | Site metasploit.com

This Metasploit module uses an authentication bypass vulnerability in Wordpress Pie Register plugin versions 3.7.1.4 and below to generate a valid cookie. With this cookie, hopefully of the admin, it will generate a plugin, pack the payload into it and upload it to a server running WordPress.

tags | exploit, bypass
SHA-256 | 264c63ccfe6e89f9ea56a7b424108e323208432961e4e3c392e667c8ffa32f85
WordPress SP Project And Document Remote Code Execution
Posted Jul 26, 2021
Authored by Ron Jost, Yann Castel | Site metasploit.com

This Metasploit module allows an attacker with a privileged WordPress account to launch a reverse shell due to an arbitrary file upload vulnerability in WordPress SP Project and Document plugin versions prior to 4.22. The security check only searches for lowercase file extensions such as .php, making it possible to upload .pHP files for instance. Finally, the uploaded payload can be triggered by a call to /wp-content/uploads/sp-client-document-manager/<user_id>/<random_payload_name>.php.

tags | exploit, arbitrary, shell, php, file upload
advisories | CVE-2021-24347
SHA-256 | 7d2c3f217f9d96a1b8933d18886edae37099a342dcf9addd2e24438914311c20
WordPress Modern Events Calendar Remote Code Execution
Posted Jul 26, 2021
Authored by Ron Jost, Yann Castel, Nguyen Van Khanh | Site metasploit.com

This Metasploit module allows an attacker with a privileged WordPress account to launch a reverse shell due to an arbitrary file upload vulnerability in WordPress Modern Events Calendar plugin versions prior to 5.16.5. This is due to an incorrect check of the uploaded file extension. Indeed, by using text/csv content-type in a request, it is possible to upload a .php payload as is is not forbidden by the plugin. Finally, the uploaded payload can be triggered by a call to /wp-content/uploads/<random_payload_name>.php.

tags | exploit, arbitrary, shell, php, file upload
advisories | CVE-2021-24145
SHA-256 | 69c7df31917c6908273c697f81d8629ab2b33991a9590623c7646f14dbb26004
WordPress Backup Guard Authenticated Remote Code Execution
Posted Jul 21, 2021
Authored by Ron Jost, Nguyen Van Khanh | Site metasploit.com

This Metasploit module allows an attacker with a privileged WordPress account to launch a reverse shell due to an arbitrary file upload vulnerability in Wordpress plugin Backup Guard versions prior to 1.6.0. This is due to an incorrect check of the uploaded file extension which should be of SGBP type. Then, the uploaded payload can be triggered by a call to /wp-content/uploads/backup-guard/<random_payload_name>.php.

tags | exploit, arbitrary, shell, php, file upload
advisories | CVE-2021-24155
SHA-256 | 3cec1dda9d347f45f65889e051e7fd1d9dc38d9c3e6197d8f4224ca67cb32a27
WordPress wpDiscuz 7.0.4 Shell Upload
Posted Jun 28, 2021
Authored by Hoa Nguyen, Chloe Chamberland | Site metasploit.com

This Metasploit module exploits an arbitrary file upload in the WordPress wpDiscuz plugin versions from 7.0.0 through 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable server.

tags | exploit, remote, arbitrary, php, code execution, file upload
advisories | CVE-2020-24186
SHA-256 | fab2eeb88db6a1f9b11eed6c490a6ca021dd6f8237a47b405d41bd041a36af45
WordPress AIT CSV Import/Export 3.0.3 Shell Upload
Posted Jan 12, 2021
Authored by h00die | Site metasploit.com

WordPress AIT CSV Import/Export plugin versions 3.0.3 and below allow unauthenticated remote attackers to upload and execute arbitrary PHP code. The upload-handler does not require authentication, nor validates the uploaded content. It may return an error when attempting to parse a CSV, however the uploaded shell is left. The shell is uploaded to wp-content/uploads/. The plugin is not required to be activated to be exploitable.

tags | exploit, remote, arbitrary, shell, php
SHA-256 | a2f6c8a1b2abcf88e7b1c36398324f80a14ac661d3acd2771b420e43bc493668
WordPress WP24 Domain Check 1.6.2 Cross Site Scripting
Posted Jan 6, 2021
Authored by Mehmet Kelepce

WordPress WP24 Domain Check plugin version 1.6.2 suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 3b7692ce0a0a7b56e95ad1c79f29073c09364cb903f17b8a505c4e028c66a878
WordPress Simple File List Unauthenticated Remote Code Execution
Posted Nov 25, 2020
Authored by h00die, coiffeur | Site metasploit.com

This Metasploit module exploits WordPress Simple File List plugin versions prior to 4.2.3, which allows remote unauthenticated attackers to upload files within a controlled list of extensions. However, the rename function does not conform to the file extension restrictions, thus allowing arbitrary PHP code to be uploaded first as a png then renamed to php and executed.

tags | exploit, remote, arbitrary, php
SHA-256 | c76d8f741d62e082e4021197c4f997d2888355186e9e04b1278f52540744b1fa
WordPress File Manager 6.8 Remote Code Execution
Posted Nov 10, 2020
Authored by Imran E. Dawoodjee, Alex Souza | Site metasploit.com

The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.

tags | exploit, remote, arbitrary, php
advisories | CVE-2020-25213
SHA-256 | cb75a4b68804743f507bff751860e4857ae4e6e2dc885932118f534da8b0dce9
WordPress Drag And Drop Multi File Uploader Remote Code Execution
Posted Jun 4, 2020
Authored by h00die, Austin Martin | Site metasploit.com

This Metasploit module exploits a file upload feature of Drag and Drop Multi File Upload - Contact Form 7 for versions prior to 1.3.4. The allowed file extension list can be bypassed by appending a %, allowing for php shells to be uploaded. No authentication is required for exploitation.

tags | exploit, shell, php, file upload
advisories | CVE-2020-12800
SHA-256 | d94c9f0362d25709f05afe545bc81aff8520f8eb38e83726bf24a2463da16a0a
WordPress InfiniteWP Client Authentication Bypass
Posted Feb 10, 2020
Authored by wvu, WebARX | Site metasploit.com

This Metasploit module exploits an authentication bypass in the WordPress InfiniteWP Client plugin to log in as an administrator and execute arbitrary PHP code by overwriting the file specified by PLUGIN_FILE. The module will attempt to retrieve the original PLUGIN_FILE contents and restore them after payload execution. If VerifyContents is set, which is the default setting, the module will check to see if the restored contents match the original. Note that a valid administrator username is required for this module. WordPress versions greater than and equal to 4.9 are currently not supported due to a breaking WordPress API change. Tested against 4.8.3.

tags | exploit, arbitrary, php
SHA-256 | 46fe60790b9bf89534e2a83e420722f916eab06cd0cd0b2036421fb2f052a420
WordPress Plainview Activity Monitor 20161228 Remote Command Execution
Posted Nov 29, 2019
Authored by Leo LE BOUTER | Site metasploit.com

WordPress Plainview Activity Monitor plugin is vulnerable to OS command injection which allows an attacker to remotely execute commands on the underlying system. Application passes unsafe user supplied data to ip parameter into activities_overview.php. Privileges are required in order to exploit this vulnerability. Vulnerable plugin version: 20161228 and possibly prior. Fixed plugin version: 20180826.

tags | exploit, php
advisories | CVE-2018-15877
SHA-256 | 7ec3e2886cfeb10934e1758d21c4a3b07426bc1755426426441b88d92cfd7024
WordPress Database Backup Remote Command Execution
Posted Jul 27, 2019
Authored by Shelby Pace, Mikey Veenstra | Site metasploit.com

There exists a command injection vulnerability in the Wordpress plugin wp-database-backup for versions less than 5.2. For the backup functionality, the plugin generates a mysqldump command to execute. The user can choose specific tables to exclude from the backup by setting the wp_db_exclude_table parameter in a POST request to the wp-database-backup page. The names of the excluded tables are included in the mysqldump command unsanitized. Arbitrary commands injected through the wp_db_exclude_table parameter are executed each time the functionality for creating a new database backup are run. Authentication is required to successfully exploit this vulnerability.

tags | exploit, arbitrary
SHA-256 | 401ad527c7daa315ba1bf0e69bfa9cc8df0e398c4a05459107a808ada7823a8d
WordPress 5.0.0 crop-image Shell Upload
Posted Apr 4, 2019
Authored by RIPSTECH Technology, Wilfried Becard | Site metasploit.com

This Metasploit module exploits a path traversal and a local file inclusion vulnerability on WordPress versions 5.0.0 and versions below or equal to 4.9.8. The crop-image function allows a user, with at least author privileges, to resize an image and perform a path traversal by changing the _wp_attached_file reference during the upload. The second part of the exploit will include this image in the current theme by changing the _wp_page_template attribute when creating a post. This exploit module only works for Unix-based systems currently.

tags | exploit, local, file inclusion
systems | unix
advisories | CVE-2019-8942, CVE-2019-8943
SHA-256 | bd1f2d0a7453946a4baa703e14878a8668792a590d2018556e1e736471a78c41
WordPress Themes Open Redirection 2019/03/22
Posted Mar 22, 2019
Authored by KingSkrupellos

Many WordPress themes and a plugin suffer from open redirection vulnerabilities. Age-Verification plugins version 0.5 is affected. Themes affected include Ev version 1.x, Nine-Day version 1.6, Aibbt version 1.0, itiis version 1.x, ifxPro.Cn version 5.0, 2kqq version 5.2, Azzxx version 1.2.1, BigChrome version 5.2, clsn-003 version 1.0, Concise version 2.8, TaozHuji version 5.2, UsaMusic-PC version 1.0, Wngzs version 1.0, 2018110612035976 version 1.7.3, Begin4.6 version 4.6, Begin5.2 version 5.2, Begin44 version 4.4, BeginLTS version 6, Zangai version 1.1.0, Deep version 5.4, and Wopus version 1.0.

tags | exploit, vulnerability
SHA-256 | dde24f2673dd10b7c2098a95653b2d7e373925d002e9b0ef39cff99af5b5192b
WordPress 2013 TwentyThirteen Theme 5.0.3 Open Redirection
Posted Jan 16, 2019
Authored by KingSkrupellos

WordPress 2013 TwentyThirteen theme version 5.0.3 suffers from an open redirection vulnerability.

tags | exploit
SHA-256 | 17af8d808260cd382bb561a63cd216ad19865d85b01816a105f2f3c8c4691caa
WordPress Snap Creek Duplicator Code Injection
Posted Dec 12, 2018
Authored by Thomas Chauchefoin, Julien Legras | Site metasploit.com

When the WordPress plugin Snap Creek Duplicator restores a backup, it leaves dangerous files in the filesystem such as installer.php and installer-backup.php. These files allow anyone to call a function that overwrite the wp-config.php file AND this function does not sanitize POST parameters before inserting them inside the wp-config.php file, leading to arbitrary PHP code execution. WARNING: This exploit WILL break the wp-config.php file. If possible try to restore backups of the configuration after the exploit to make the WordPress site work again.

tags | exploit, arbitrary, php, code execution
advisories | CVE-2018-17207
SHA-256 | 905691265705b4759d72dab396f504f56f641ea40f5dc5bc5702ab0b07cd1d7f
Page 1 of 4
Back1234Next

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close