Exploit for Unrestricted Upload of File with Dangerous Type in Lindeni Multi_Purpose_Mail_Form CVE-2024-50526

Name: Exploit for Unrestricted Upload of File with Dangerous Type in Lindeni Multi_Purpose_Mail_Form CVE-2024-50526
Rating: 5 (144 reviews)

2026-01-22 | CVSS 10.0

## https://sploitus.com/exploit?id=438FD39D-6D17-52D0-AE9F-16536CDB4F6D
# CVE-2024-50526 / 0-Click RCE Exploit

- Author: Joshua Provoste
- https://x.com/JoshuaProvoste/status/1859403137435459727

![CVE-2024-50526](CVE-2024-50526.PNG)


This repository contains a proof-of-concept exploit for CVE-2024-50526, an unauthenticated arbitrary file upload vulnerability in the Multi Purpose Mail Form WordPress plugin, leading to remote command execution (RCE).

## What the script does

The script uploads a PHP payload through a vulnerable form endpoint without authentication. Once uploaded, it verifies the payload location, detects the target operating system, and provides an interactive remote shell for command execution.

## Usage

```
python CVE-2024-50526.py --target http://target-wordpress-site/mpmf-1/ --form-name hkh
```


After execution, the script uploads the payload, confirms its accessibility, detects the OS, and drops into an interactive shell.

## Notes

- No authentication required (pre-auth / 0-click).