Share
## https://sploitus.com/exploit?id=839DAD71-7BBB-5C4E-9647-013CC82AA380
# CVE-2023-4861 PoC

This repository contains a Python proof of concept for **CVE-2023-4861**, an **authenticated remote code execution** issue in the WordPress plugin **File Manager Pro - Filester**.

## Vulnerability Summary

- CVE: `CVE-2023-4861`
- Product: `File Manager Pro - Filester` (`filester`)
- Vulnerable versions: `< 1.8.1`
- Fixed version: `1.8.1`
- Vulnerability class: authenticated arbitrary file upload leading to RCE
- Privileges required: `Admin+` on Filester

## What This PoC Does

`exploit.py` automates the same basic outcome described in the public advisory:

1. Uses a valid authenticated WordPress session cookie.
2. Opens the Filester admin page and extracts plugin nonces.
3. Reads current editor restrictions.
4. Changes restrictions to allow access to `/var/www/html/` and allow `.php` upload.
5. Creates a PHP file through Filester's connector.
6. Writes a simple webshell into that file.
7. Triggers the webshell with a command of your choice.

Important implementation detail: my PoC assumes the target web root is `/var/www/html/`. That is hardcoded in the request data and may need adjustment for other lab setups.

## Requirements

- Python 3
- A vulnerable Filester installation
- A valid authenticated cookie string for a session that can access the Filester interface

## Setup

Clone the repository and enter it:

```bash
git clone https://github.com/nomaisthere/CVE-2023-4861-PoC.git
cd CVE-2023-4861-PoC
```

Install dependencies:

```bash
pip install requests
```

## Usage

Show help:

```bash
python3 exploit.py --help
```

Basic example:

```bash
python3 exploit.py --url http://target-wordpress --cookie 'wordpress_logged_in_xxx=...; wordpress_sec_xxx=...' --command id
```

Optional custom shell name:

```bash
python3 exploit.py --url http://target-wordpress --cookie 'wordpress_logged_in_xxx=...; wordpress_sec_xxx=...' \
  --shell-name shell.php --command whoami
```

## Notes

- This is an **authenticated** exploit. It is not an unauthenticated RCE.
- Use this only in environments you own or are explicitly authorized to test. I'm not responsible for whatever you do with it.

## References

- NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-4861
- WPScan advisory: https://wpscan.com/vulnerability/7fa03f00-25c7-4e40-8592-bb4001ce019d/
- WordPress.org plugin page: https://wordpress.org/plugins/filester/