wordpress plugin exploits
adRotate 5.8.6.2
# can upload shell as zip as image banner
# banner images are auto extracted to /banner folder
# use plugin settings to find where the /banner folder is
# mostly /var/www/html/wordpress/wp-content/banners
wp-content/banners/web.php
simply-poll-master 1.4.1 | 1.5 |
https://www.exploit-db.com/exploits/40971
# POST http://example.com/wp-admin/admin-ajax.php
# --data="action=spAjaxResults&pollid=1 UNION SELECT 1,2,3,4,5,6,7 --"
# pollid is injectable
# UNION query : 7 columns; 6th in injectable
simple-file-list 4.2.2 | RCE
direct reverse shell | https://www.exploit-db.com/exploits/48979
arbitary file upload | https://www.exploit-db.com/exploits/48449
site-import 1.0.1 | LFI + RFI
https://www.exploit-db.com/exploits/39558
/wp-content/plugins/site-import/admin/page.php?url=
wp-support-plus-responsive-ticket-system 7.1.3
https://www.exploit-db.com/exploits/41006
# make exploit.html > update action to domain > run it > submit form
# refresh website > we are logged in
social warfare < 3.5.3
https://github.com/hash3liZer/CVE-2019-9978 (save payload in .txt and host it locally)
https://www.exploit-db.com/exploits/46794
https://github.com/shad0w008/social-warfare-RCE
Last updated
Was this helpful?