Share
## https://sploitus.com/exploit?id=2E84A936-8E96-544C-806E-DCEEEA9B7810
# QE3 - WordPress Auto Exploitation Scanner
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโ โโโโโโโ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โโโ โโโโโโโโโ โโโโโโโ โโโโโโ โโโโโโโโโโโโโโโโ โ
โ โโโโโ โโโโโโโโโ โโโโโโโ โโโโโโ โโโโโโโโโโโโโโโโ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
**Ultimate WordPress Vulnerability Scanner & Exploiter**
[](https://www.python.org/)
[](LICENSE)
[](README.md)
[](README.md)
[Features](#-features) โข [Installation](#-installation) โข [Usage](#-usage) โข [Exploits](#-exploits) โข [FOFA Integration](#-fofa-integration)
---
## ๐ About
**QE3** adalah automated WordPress exploitation scanner yang dirancang untuk security testing. Tool ini dapat mendeteksi dan mengeksploitasi berbagai vulnerability di WordPress plugins, themes, dan core dengan satu command.
### โจ Kenapa QE3?
- ๐ **Fully Automated** - Scan, detect, exploit, verify dalam satu command
- ๐ฏ **7 Built-in Exploits** - Support CVE terbaru 2025-2026
- ๐ **Smart Shell Injection** - Triple execution methods untuk maximum compatibility
- ๐ **FOFA Integration** - Mass scanning dari FOFA search results
- โ
**Zero False Positives** - Hanya report shell yang verified dengan `uid=` output
- ๐ **Beautiful Output** - Clean interface dengan colors dan symbols
- ๐พ **Auto Save** - Working shells otomatis tersimpan ke `berhasil.txt`
---
## ๐ฏ Features
### Core Features
| Feature | Description |
|---------|-------------|
| **Auto Plugin Detection** | Deteksi installed plugins dan versions |
| **Version Checking** | Compare dengan vulnerable versions |
| **Multiple Exploits** | 7 different exploitation methods |
| **Smart Shell Testing** | Triple execution: system(), shell_exec(), eval() |
| **UID Verification** | Only report shells with verified `uid=` output |
| **Single & Mass Scan** | Support single target atau list.txt |
| **FOFA Dorks** | Built-in dorks untuk mass target hunting |
| **Auto Save** | Working shells saved to berhasil.txt |
### Output Features
โ **Plugin Version Display** - Shows if Vulnerable/Patched/Unknown
โ **Beautiful Symbols** - โ โ โ โ ๐ฏ untuk easy reading
โ **Failure Reasons** - Detailed explanation kenapa exploit gagal
โ **UID Output** - Display actual `uid=33(www-data)` output
โ **Progress Tracking** - Real-time progress untuk mass scanning
โ **Summary Report** - Complete statistics di akhir scan
---
## ๐ฅ Exploits
QE3 v7.0 Final supports **7 automated exploits**:
| # | Exploit | CVE | Type | Auth | Year |
|---|---------|-----|------|------|------|
| 1 | WordPress LFI | wp_lang | Path Traversal + Log Poisoning | โ | 2024 |
| 2 | Melis CMS Slider | - | Unrestricted Upload | โ | 2025 |
| 3 | g-FFL Checkout | CVE-2025-68001 | Unrestricted Upload | โ | 2025 |
| 4 | WPvivid Backup | CVE-2026-1357 | RCE via AES Encryption | โ | 2026 |
| 5 | Hash Form | CVE-2024-5084 | File Upload | โ | 2024 |
| 6 | KiotViet | CVE-2025-12674 | REST API Upload | โ | 2025 |
| 7 | Generic Upload | - | Multiple Methods | โ | - |
### ๐ฅ Latest CVEs (2025-2026)
- **CVE-2025-68001** - g-FFL Checkout Plugin (Jan 2026)
- **CVE-2025-12674** - KiotViet Integration (Dec 2025)
- **CVE-2026-1357** - WPvivid Backup Unauth RCE (Jan 2026)
---
## ๐ฆ Installation
### Requirements
- Python 3.7+
- pip
### Quick Install
```bash
# Clone repository
git clone https://github.com/Sincan2/wordpress-Exploit-2026.git
cd wordpress-Exploit-2026
# Install dependencies
pip install -r requirements.txt
# Make executable
chmod +x qe3.py
# Run
./qe3.py --help
```
### Dependencies
```
requests>=2.31.0
colorama>=0.4.6
pycryptodome>=3.19.0
```
---
## ๐ Usage
### Basic Usage
```bash
# Single target
./qe3.py example.com
# With protocol
./qe3.py https://example.com
# Multiple targets
./qe3.py list.txt
# Show FOFA dorks
./qe3.py --dorks
```
### Single Target Example
```bash
$ ./qe3.py example.com
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ WordPress Auto Scanner v7.0 FINAL โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[Single Target Mode]
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ฏ Target: https://example.com
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Connected via HTTPS
[Scanning Plugins]
โ VULNERABLE wpvivid-backuprestore
โโ Version: 0.9.85 | Vuln: targets.txt
# 4. Scan with QE3
./qe3.py targets.txt
# 5. View results
cat berhasil.txt
```
---
## ๐ Output Files
### berhasil.txt
Format: `Timestamp | Domain | Shell URL | Method`
```
2026-02-15 14:30:12 | example.com | https://example.com/wp-content/uploads/qn.php | WPvivid
2026-02-15 14:31:45 | test.com | https://test.com/wp-content/uploads/g-ffl/shell.php | g-FFL
```
---
## ๐ Success Rates
Based on real-world testing:
| Exploit | Success Rate | Notes |
|---------|--------------|-------|
| g-FFL Checkout | **~95%** | If plugin detected |
| Melis CMS | **~85%** | Common in corporate sites |
| WordPress LFI | **~40%** | Core vulnerability |
| WPvivid Unauth | **~30%** | Popular backup plugin |
| **Overall** | **~35-40%** | From FOFA results |
---
## ๐ก๏ธ Legal Disclaimer
**IMPORTANT - READ CAREFULLY:**
This tool is for **educational and authorized security testing only**.
โ
**Legal Use:**
- Testing your own websites
- Authorized penetration testing with written permission
- Security research in controlled environments
โ **Illegal Use:**
- Unauthorized access to systems you don't own
- Testing without explicit permission
- Any malicious activities
**BY USING THIS TOOL YOU AGREE:**
- You have authorization to test target systems
- Authors are not responsible for misuse
---
**Made with โค๏ธ by MHL Team**
*For educational purposes only. Use responsibly.*