Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-4047 PoC — WordPress Plugin WooCommerce 代码问题漏洞

Source
https://github.com/im-hanzou/WooRefer
Associated Vulnerability
Title:WordPress Plugin WooCommerce 代码问题漏洞 (CVE-2022-4047)
Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Plugin WooCommerce 4.0.9之前版本存在代码问题漏洞,该漏洞源于对未经身份验证用户通过AJAX操作上传的附件文件没有验证,这可能允许他们上传任意文件(例如PHP)并导致RCE。
Description
Automatic Mass Tool for check and exploiting vulnerability in CVE-2022-4047 - Return Refund and Exchange For WooCommerce < 4.0.9 - Unauthenticated Arbitrary File Upload
Readme
# WooRefer | CVE-2022-4047 - Return Refund and Exchange For WooCommerce
Automatic Mass Tool for check and exploiting vulnerability in CVE-2022-4047 - Return Refund and Exchange For WooCommerce < 4.0.9 - Unauthenticated Arbitrary File Upload (Mass PHP File Upload)<br><br>
<img src="https://github.com/im-hanzou/WooRefer/blob/main/image/woorefer.png" width=600></img><br>
- Using GNU Parallel. You must have parallel for run this tool.<br>
- <b>If you found error like "$'\r': command not found" just do "dos2unix woorefer.sh"</b>
# Install Parallel
- Linux : <code>apt-get install parallel -y</code><br>
- Windows : You can install WSL (windows subsystem linux) then do install like linux<br>if you want use windows (no wsl), install <a href="https://git-scm.com/download/win">GitBash</a> then do this command for install parallel: <br>
[#] <code>curl pi.dk/3/ > install.sh </code><br>[#] <code>sha1sum install.sh | grep 12345678 </code><br>[#] <code>md5sum install.sh </code><br>[#] <code>sha512sum install.sh </code><br>[#] <code>bash install.sh</code><br>
# How To Use
- <b>Make sure you already install Parallel!</b> Then do:
- [#] <code>git clone https://github.com/im-hanzou/WooRefer.git</code>
- [#] <code>cd WooRefer</code>
- [#] For Linux or WSL: <code>bash woorefer.sh list.txt thread</code>
- [#] For Gitbash: <code>TMPDIR=/tmp bash woorefer.sh list.txt thread</code>
# Reference
- https://nvd.nist.gov/vuln/detail/CVE-2022-4047
- https://wpscan.com/vulnerability/8965a87c-5fe5-4b39-88f3-e00966ca1d94
- https://github.com/advisories/GHSA-3j85-6864-55p3
# Disclaimer:
- <b><i>This tool is for educational purposes only. Use it responsibly and with proper authorization. The author is not responsible for any misuse.</b></i>
File Snapshot

 [4.0K]  /data/pocs/47aff1bd52b8e1add6357d42f43da6586efcc9b0
├── [4.0K]  image
│   ├── [   1]  test.txt
│   └── [148K]  woorefer.png
├── [  46]  list.txt
├── [1.7K]  README.md
├── [ 89K]  tifa.phtml
└── [2.8K]  woorefer.sh

1 directory, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.