## https://sploitus.com/exploit?id=C5BAC935-E37C-54D7-A92A-923519E6DD40
# CVE-2024-7627 โ Bit File Manager (WordPress) Unauthenticated RCE Exploit
## ๐ Description
This repository contains a proof-of-concept (PoC) exploit for **CVE-2024-7627**, a critical **Unauthenticated Remote Code Execution (RCE)** vulnerability in the **Bit File Manager** WordPress plugin (versions **6.0 โ 6.5.5**).
When the **Guest User Read** feature is enabled, the plugin exposes a race condition inside the `checkSyntax` function.
This function writes a temporary PHP file into `/wp-content/uploads/` before validation, allowing attackers to request the file and execute arbitrary system commands.
- **Vulnerability Type:** Unauthenticated RCE
- **Affected Versions:** Bit File Manager 6.0 โ 6.5.5
- **Patched Version:** 6.5.6
- **CVSS Score:** 9.8 (Critical)
---
## โก Features
- Automatically extracts a valid **AJAX nonce** from the target.
- Retrieves a random writable file hash for exploitation.
- Performs race condition using **async parallel requests**.
- Provides an **interactive reverse shell-like interface** for executing commands.
---
## ๐ง Requirements
- Python **3.8+**
- Dependencies: `requests`, `aiohttp`, `asyncio`, `beautifulsoup4`
Install dependencies:
```bash
pip install requests aiohttp beautifulsoup4
```
## example output
```bash
[*] Getting a valid AJAX nonce...
[+] Found the valid AJAX nonce: 65a1d91c63
[*] Getting a random file hash...
[+] Starting interactive shell. Type 'exit' to quit.
lab-shell> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
lab-shell> uname -a
Linux victim-wp 5.15.0-78-generic #85-Ubuntu SMP x86_64 GNU/Linux
lab-shell> whoami
www-data