Metasploit modules that can be used to exploit Wordpress products
-
WordPress Crop-image Shell Upload
Disclosure Date : 2019-02-19exploit/multi/http/wp_crop_rceThis module exploits a path traversal and a local file inclusion vulnerability on WordPress versions 5.0.0 and <= 4.9.8. The crop-image function allows a user, with at least author privileges, to resize an image and perform a path traversal by changing the _wp_attached_file reference during the upload. The second part of the exploit will include this image in the current theme by changing the _wp_page_template attribute when creating a post. This exploit module only works for Unix-based systems currently. Authors: - RIPSTECH Technology - Wilfried Becard <[email protected]> -
WordPress Crop-image Shell Upload
Disclosure Date : 2019-02-19exploit/multi/http/wp_crop_rceThis module exploits a path traversal and a local file inclusion vulnerability on WordPress versions 5.0.0 and <= 4.9.8. The crop-image function allows a user, with at least author privileges, to resize an image and perform a path traversal by changing the _wp_attached_file reference during the upload. The second part of the exploit will include this image in the current theme by changing the _wp_page_template attribute when creating a post. This exploit module only works for Unix-based systems currently. Authors: - RIPSTECH Technology - Wilfried Becard <[email protected]> -
WordPress PHPMailer Host Header Command Injection
Disclosure Date : 2017-05-03exploit/unix/webapp/wp_phpmailer_host_headerThis module exploits a command injection vulnerability in WordPress version 4.6 with Exim as an MTA via a spoofed Host header to PHPMailer, a mail-sending library that is bundled with WordPress. A valid WordPress username is required to exploit the vulnerability. Additionally, due to the altered Host header, exploitation is limited to the default virtual host, assuming the header isn't mangled in transit. If the target is running Apache 2.2.32 or 2.4.24 and later, the server may have HttpProtocolOptions set to Strict, preventing a Host header containing parens from passing through, making exploitation unlikely. Authors: - Dawid Golunski - wvu <[email protected]> -
WordPress REST API Content Injection
Disclosure Date : 2017-02-01auxiliary/scanner/http/wordpress_content_injectionThis module exploits a content injection vulnerability in WordPress versions 4.7 and 4.7.1 via type juggling in the REST API. Authors: - Marc Montpas - wvu <[email protected]> -
PHPMailer Sendmail Argument Injection
Disclosure Date : 2016-12-26exploit/multi/http/phpmailer_arg_injectionPHPMailer versions up to and including 5.2.19 are affected by a vulnerability which can be leveraged by an attacker to write a file with partially controlled contents to an arbitrary location through injection of arguments that are passed to the sendmail binary. This module writes a payload to the web root of the webserver before then executing it with an HTTP request. The user running PHPMailer must have write access to the specified WEB_ROOT directory and successful exploitation can take a few minutes. Authors: - Dawid Golunski - Spencer McIntyre -
PHPMailer Sendmail Argument Injection
Disclosure Date : 2016-12-26exploit/multi/http/phpmailer_arg_injectionPHPMailer versions up to and including 5.2.19 are affected by a vulnerability which can be leveraged by an attacker to write a file with partially controlled contents to an arbitrary location through injection of arguments that are passed to the sendmail binary. This module writes a payload to the web root of the webserver before then executing it with an HTTP request. The user running PHPMailer must have write access to the specified WEB_ROOT directory and successful exploitation can take a few minutes. Authors: - Dawid Golunski - Spencer McIntyre -
Wordpress XMLRPC DoS
Disclosure Date : 2014-08-06auxiliary/dos/http/wordpress_xmlrpc_dosWordpress XMLRPC parsing is vulnerable to a XML based denial of service. This vulnerability affects Wordpress 3.5 - 3.9.2 (3.8.4 and 3.7.4 are also patched). Authors: - Nir Goldshlager - Christian Mehlmauer <[email protected]> -
WordPress cache_lastpostdate Arbitrary Code Execution
Disclosure Date : 2005-08-09exploit/unix/webapp/wp_lastpost_execThis module exploits an arbitrary PHP code execution flaw in the WordPress blogging software. This vulnerability is only present when the PHP 'register_globals' option is enabled (common for hosting providers). All versions of WordPress prior to 1.5.1.3 are affected. Authors: - str0ke <[email protected]> - hdm <[email protected]> -
WordPress Brute Force and User Enumeration Utility
auxiliary/scanner/http/wordpress_login_enumWordPress Authentication Brute Force and User Enumeration Utility Authors: - Tiago Ferreira <[email protected]> - Zach Grace <[email protected]> - Christian Mehlmauer <[email protected]> -
Wordpress Pingback Locator
auxiliary/scanner/http/wordpress_pingback_accessThis module will scan for wordpress sites with the Pingback API enabled. By interfacing with the API an attacker can cause the wordpress site to port scan an external target and return results. Refer to the wordpress_pingback_portscanner module. This issue was fixed in wordpress 3.5.1 Authors: - Thomas McCarthy "smilingraccoon" <[email protected]> - Brandon McCann "zeknox" <[email protected]> - Christian Mehlmauer <[email protected]> -
WordPress Traversal Directory DoS
auxiliary/dos/http/wordpress_directory_traversal_dosCross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896. Authors: - Yorick Koster - CryptisStudents
11 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers. There may be other relevant modules.
Visit metasploit web site for more details