CVE-2024-27954 PoC — WordPress plugin Automatic 路径遍历漏洞

Source

https://github.com/r0otk3r/CVE-2024-27954

Associated Vulnerability

Title:WordPress plugin Automatic 路径遍历漏洞 (CVE-2024-27954)
Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Automatic 3.92.0 版本及之前版本存在路径遍历漏洞，该漏洞源于存在路径遍历漏洞。

Readme

# CVE-2024-27954 - WordPress wp-automatic Plugin LFI Scanner

This project provides a Python-based Local File Inclusion (LFI) vulnerability scanner targeting **CVE-2024-27954**, a critical flaw found in the WordPress plugin **wp-automatic**. The vulnerability allows unauthenticated attackers to read arbitrary files on the server using a `file://` injection vector.

## 🚨 Vulnerability Summary

- **CVE-ID:** CVE-2024-27954
- **Component:** WordPress `wp-automatic` Plugin
- **Impact:** Local File Inclusion (LFI)
- **Risk:** Remote unauthenticated file read (e.g., `/etc/passwd`, config files, source code)
- **Vector:** Untrusted `link` parameter using `file://` scheme

---

## 🔧 Features

- Scan single or multiple target URLs
- Test for a single or multiple LFI file paths
- Proxy support (e.g., BurpSuite)
- Multithreaded scanning
- Output vulnerable targets to file
- Human-readable console output

---

## 📦 Requirements

- Python 3.x
- `requests` module

Install dependencies:

```bash
pip install requests
```
## 🚀 Usage
```bash
python3 CVE-2024-27954.py --url http://TARGET --lfi-path /etc/passwd
```
| Argument       | Description                                        |
| -------------- | -------------------------------------------------- |
| `--url`        | Single target URL (e.g. `http://TARGET:8080`)      |
| `--list`       | File containing list of target URLs (one per line) |
| `--lfi-path`   | Single file path to test (default: `/etc/passwd`)  |
| `--paths-file` | File with multiple file paths (one per line)       |
| `--proxy`      | Proxy (e.g. `http://127.0.0.1:8080`)               |
| `--output`     | File to save vulnerable results                    |
| `--threads`    | Number of concurrent threads (default: `3`)        |


## 📂 Example Usages
```bash
python3 CVE-2024-27954.py --url "http://TARGET" --lfi-path /etc/passwd --proxy "http://127.0.0.1:8080" --output results.txt
```
```bash
python3 CVE-2024-27954.py --url "http://TARGET" --lfi-path /etc/shadow --proxy "http://127.0.0.1:8080" --output results.txt
```
<img width="1349" height="433" alt="1" src="https://github.com/user-attachments/assets/ae898bb0-b03e-4b65-97d1-2f835744a144" />

---
# ⚠️ Disclaimer

This tool is intended for educational and authorized penetration testing purposes only. Unauthorized access to systems may be illegal. Use responsibly.

----

## Official Channels

- [YouTube @rootctf](https://www.youtube.com/@rootctf)
- [X @r0otk3r](https://x.com/r0otk3r)

File Snapshot


 [4.0K]  /data/pocs/c5275f15c873aaa82d9da643994f9374e5655a8d
├── [3.7K]  CVE-2024-27954.py
├── [ 631]  paths.txt
└── [2.4K]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!