CVE-2019-15858 PoC — WordPress Woody ad snippets插件输入验证错误漏洞

Source

Associated Vulnerability

Description

Unauthenticated Remote Code Execution at Woody Ad Snippets (PoC)

Readme

# CVE-2019-15858
**Unauthenticated Remote Code Execution at Woody Ad Snippets (PoC)**



An unauthenticated options import vulnerability combined with a stored XSS vulnerability can lead to remote code execution in the WordPress Woody Ad Snippets (90,000+ active installations).
Woody Ad Snippets is a plugin that allows administrators to insert any code, text, or ads by conditions in their blog: JS, CSS, HTML and even PHP code. It was prone in version 2.2.4 and below to two vulnerabilities that, when unintentionally triggered by the administrator in the back-end section of WordPress, would allow an attacker to run any PHP code in order to compromise the website and its database.

# Usage:
```
usage: python exploit.py sites.txt payload.json
```

[![Proof of Concept Video](https://img.youtube.com/vi/n3zDjJ-xJ_8/0.jpg)](https://www.youtube.com/watch?v=n3zDjJ-xJ_8)

# References:

* https://www.cvedetails.com/cve/CVE-2019-15858/
* https://wordpress.org/plugins/insert-php/

File Snapshot

 [4.0K]  /data/pocs/8559035d7d47adb5b074fc8ca8cc0acb280ef7e9
├── [1.5K]  exploit.py
├── [ 372]  payload.json
├── [1.9K]  rce.js
├── [ 983]  README.md
└── [  21]  Sites.txt

0 directories, 5 files

Remarks