## https://sploitus.com/exploit?id=839DAD71-7BBB-5C4E-9647-013CC82AA380
# CVE-2023-4861 PoC
This repository contains a Python proof of concept for **CVE-2023-4861**, an **authenticated remote code execution** issue in the WordPress plugin **File Manager Pro - Filester**.
## Vulnerability Summary
- CVE: `CVE-2023-4861`
- Product: `File Manager Pro - Filester` (`filester`)
- Vulnerable versions: `< 1.8.1`
- Fixed version: `1.8.1`
- Vulnerability class: authenticated arbitrary file upload leading to RCE
- Privileges required: `Admin+` on Filester
## What This PoC Does
`exploit.py` automates the same basic outcome described in the public advisory:
1. Uses a valid authenticated WordPress session cookie.
2. Opens the Filester admin page and extracts plugin nonces.
3. Reads current editor restrictions.
4. Changes restrictions to allow access to `/var/www/html/` and allow `.php` upload.
5. Creates a PHP file through Filester's connector.
6. Writes a simple webshell into that file.
7. Triggers the webshell with a command of your choice.
Important implementation detail: my PoC assumes the target web root is `/var/www/html/`. That is hardcoded in the request data and may need adjustment for other lab setups.
## Requirements
- Python 3
- A vulnerable Filester installation
- A valid authenticated cookie string for a session that can access the Filester interface
## Setup
Clone the repository and enter it:
```bash
git clone https://github.com/nomaisthere/CVE-2023-4861-PoC.git
cd CVE-2023-4861-PoC
```
Install dependencies:
```bash
pip install requests
```
## Usage
Show help:
```bash
python3 exploit.py --help
```
Basic example:
```bash
python3 exploit.py --url http://target-wordpress --cookie 'wordpress_logged_in_xxx=...; wordpress_sec_xxx=...' --command id
```
Optional custom shell name:
```bash
python3 exploit.py --url http://target-wordpress --cookie 'wordpress_logged_in_xxx=...; wordpress_sec_xxx=...' \
--shell-name shell.php --command whoami
```
## Notes
- This is an **authenticated** exploit. It is not an unauthenticated RCE.
- Use this only in environments you own or are explicitly authorized to test. I'm not responsible for whatever you do with it.
## References
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-4861
- WPScan advisory: https://wpscan.com/vulnerability/7fa03f00-25c7-4e40-8592-bb4001ce019d/
- WordPress.org plugin page: https://wordpress.org/plugins/filester/