## https://sploitus.com/exploit?id=DA797484-9C89-507E-9247-F853F00B423D
# EXPLOIT CVE-2026-8832


An exploitation tool to test for **Remote Code Execution (RCE)** vulnerabilities in the WordPress plugin **WPCode Lite (Insert Headers and Footers) v2.3.5**. This vulnerability stems from registering the Custom Post Type (CPT) `wpcode` without defining a custom `capability_type`. This oversight allows any user with the **Author** role (or higher) to execute arbitrary PHP code on the server via XML-RPC.
> **Credit**: Created based on the vulnerability analysis by [t.me/Fanatix_Legion](https://t.me/Fanatix_Legion).
---
## โ ๏ธ Disclaimer
**FOR AUTHORIZED SECURITY TESTING ONLY.**
Unauthorized usage of this tool against systems you do not own is **ILLEGAL**. Use this strictly on systems where you have explicit, written permission to conduct penetration testing. The author assumes no liability and is not responsible for any misuse or damage caused by this program.
---
## ๐ Features
- **Automated Exploitation**: Executes the full exploit chain from fingerprinting to code execution in 6 automated steps.
- **XML-RPC Bypass**: Leverages the `wp.newPost` endpoint via XML-RPC to bypass plugin UI administrative protections.
- **Pure PHP Payloads**: All built-in payloads are designed using pure PHP native functions. This is specifically crafted to **bypass `disable_functions`** restrictions commonly found in shared hosting environments (like CloudLinux) which block functions like `shell_exec` and `system`.
- **Web-Based Interactive Shell**: Includes a web-GUI payload option to easily navigate and execute PHP commands from a browser.
- **Auto-Cleanup**: Safely cleans up the database by removing test snippets and trigger posts after execution.
## ๐ฆ Requirements
- Python 3.6+
- `requests` library
```bash
pip install requests
```
## ๐ ๏ธ Usage
Run the script from your terminal/command prompt:
```bash
python wpcode_rce_tester.py
```
The tool will prompt you interactively for the following:
1. **WordPress URL**: The target URL (e.g., `http://localhost`).
2. **Username**: A user account username with at least **Author** privileges.
3. **Password**: The password for the account.
4. **Payload**: The payload choice you wish to execute (select 1-8).
### Available Payloads
1. **System Info**: Displays current user (`get_current_user`) and OS info (`php_uname`).
2. **Interactive PHP Shell via GET**: Runs console input as PHP code (via `?cmd=` parameter).
3. **PHP Info**: Executes `phpinfo()`.
4. **WordPress Config Reader**: Reads internal WordPress constants such as database credentials.
5. **File Listing**: Recursively lists files and folders in `DOCUMENT_ROOT` natively using `scandir()`.
6. **Web-Based Interactive PHP Shell**: Creates a simple HTML POST form to type and execute PHP code interactively in the browser, highly effective when OS-level execution is blocked.
7. **Proof of Concept**: Simply echoes "RCE VERIFIED" without reading sensitive data or harming the system.
8. **Custom Payload**: Enter your own raw PHP code for execution.
## ๐ก๏ธ Remediation
To secure your WordPress site:
1. Immediately update the **WPCode Lite** plugin to the latest version.
2. If updating is not possible, disable XML-RPC completely if it is not in use by adding the following to a plugin or *mu-plugins*:
```php
add_filter('xmlrpc_enabled', '__return_false');
```
---