Collection of Exploits developed by Ron Jost
For Exploit-development requests, please reach out to me: [email protected]
- Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated): CVE-2020-35948
- Wordpress Plugin Modern Events Calendar Lite < 5.16.5 - RCE (Authenticated): CVE-2021-24145
- Wordpress Plugin Modern Events Calendar Lite < 5.16.5 - Export Event Data (Unauthenticated): CVE-2021-24146
- Wordpress Plugin Backup Guard < 1.6.0 - Remote Code Execution(Authenticated): CVE-2021-24155
- Wordpress Plugin Responsive Menu < 4.0.3 - Remote Code Execution (Authenticated): CVE-2021-24160
- Wordpress Plugin SP Project & Document Manager 4.21 - Remote Code Execution (Authenticated): CVE-2021-24347
- Wordpress Plugin BulletProof Security V 5.1 - Sensitive information disclosure CVE-2021-39327
- Wordpress Plugin Secure File Manager V <= 2.9.3 - Remtoe Code Execution (Authenticated): SFM-0day
- Wordpress Plugin Duplcate Post V <= 1.1.9 - SQL Injection: CVE-2021-43408
- Wordpress Plugin Catch Themes Demo Import V 1.6.1 - Remote Code Execution (Authenticated): CVE-2021-39352
- Wordpress Plugin WP Visitor Statistics V <= 4.7 - SQL Injection (Authenticated): CVE-2021-24750
- Wordpress Plugin RegistrationMagic V <= 5.0.1.5 - SQL Injection (Authenticated): CVE-2021-24862
- Wordpress Plugin Modern Events Calendar V < 6.1.5 - SQL Injection (Unauthenticated) CVE-2021-24946
- Wordpress Plugin Download Monitor WordPress V < 4.4.5 - SQL Injection (Authenticated) CVE-2021-24786
- Wordpress Plugin 404 to 301 <= 2.0.2 - SQL-Injection (Authenticated) CVE-2015-9323
- Wordpress Plugin Secure Copy Content Protection and Content Locking < 2.8.2 - SQL-Injection (Unauthenticated) CVE-2021-24931
- Wordpress Plugin Perfect Survey < 1.5.2 - SQL Injection (Unauthenticated) CVE-2021-24762
- Wordpress Plugin WP User Frontend < 3.5.26 - SQL-Injection (Authenticated)
- GetSimple CMS 3.3.4 - Information Disclosure: CVE-2014-8722
- OpenEMR 5.0.0 - Remote Code Execution (Authenticated): CVE-2017-9380
- OpenEMR < 5.0.1.4 - Remote Code Execution (Authenticated): CVE-2018-15139
- OpenEMR < 5.0.1.4 - /portal/account/register.php Authentication bypass: CVE-2018-15152
- OpenEMR < 5.0.2 - Path Traversal (Authenticated): CVE-2019-14530
- Trixbox 2.8.0.4 - 'lang' Remote Code Execution (Unauthenticated): CVE-2017-14535
- Trixbox 2.8.0.4 - 'lang' Path Traversal: CVE-2017-14537
- Monstra CMS <= 3.0.4 - Remote Code Execution (Authenticated): CVE-2018-6383
- Codiad 2.8.4 - Remote Code Execution (Authenticated): CVE-2018-19423
- Codiad 2.8.4 - Remote Code Execution (Authenticated) (2): CVE-2019-19208
- Pluck CMS 4.7.13 - File Upload Remote Code Execution (Authenticated): CVE-2020-29607
An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated attackers the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution. The xcloner_restore.php write_file_action could overwrite wp-config.php, for example. Alternatively, an attacker could create an exploit chain to obtain a database dump.
- Vendor Homepage: https://www.xcloner.com/
- Software Link: https://downloads.wordpress.org/plugin/xcloner-backup-and-restore.4.2.12.zip
- Version: 4.2.1 - 4.2.12
- Tested on Ubuntu 18.04
Exploit Title: Wordpress Plugin Modern Events Calendar Lite < 5.16.5 - Remote Code Execution (Authenticated)
Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request.
- Vendor Homepage: https://webnus.net/modern-events-calendar/
- Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.16.2.zip
- Version: Prior to 6.15.5
- Tested on Ubuntu 18.04
Exploit Title: Wordpress Plugin Modern Events Calendar Lite < 5.16.5 - Export Event Data (Unauthenticated)
Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example.
- Vendor Homepage: https://webnus.net/modern-events-calendar/
- Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.16.2.zip
- Version: Prior to 6.15.5
- Tested on Ubuntu 18.04
The WordPress Backup and Migrate Plugin – Backup Guard WordPress plugin before 1.6.0 did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users (admin+) to upload arbitrary files, including PHP ones, leading to RCE.
- Vendor Homepage: https://backup-guard.com/products/backup-wordpress
- Software Link: https://downloads.wordpress.org/plugin/backup.1.5.8.zip
- Version: Prior to 1.6.0
- Tested on Ubuntu 18.04
In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, subscribers could upload zip archives containing malicious PHP files that would get extracted to the /rmp-menu/ directory. These files could then be accessed via the front end of the site to trigger remote code execution and ultimately allow an attacker to execute commands to further infect a WordPress site.
- pending submission
- Vendor Homepage: https://responsive.menu/
- Software Link: https://downloads.wordpress.org/plugin/responsive-menu.4.0.2.zip
- Version: 4.0.0 - 4.0.3
- Tested on Ubuntu 18.04
The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension's case, for example, from "php" to "pHP".
- Vendor Homepage: https://smartypantsplugins.com/
- Software Link: https://downloads.wordpress.org/plugin/sp-client-document-manager.4.21.zip
- Version: Prior to 4.22
- Tested on Ubuntu 18.04
Secure File Manager Wordpress plugin V 2.9.3 - Remote Code Execution (authenticated)
In the Secure File Manager Wordpress plugin V 2.9.3 and possibly before, authenticated users could upload php files by changing the content type and renaming the .php to extension to .phtml
- Date: 10.07.2021
- Exploit Author: Ron Jost (Hacker5preme)
- Vendor Homepage: https://themexa.com/secure-file-manager-pro/
- Software Link: https://downloads.wordpress.org/plugin/secure-file-manager.zip
- Version: All versions
- Tested on: Ubuntu 18.04
- CWE: CWE-434
- Vulnerability discovered by Ron Jost
The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible ~/db_backup_log.txt file which grants attackers the full path of the site, in addition to the path of database backup files. This affects versions up to, and including, 5.1.
- Vendor Homepage: https://forum.ait-pro.com/read-me-first/
- Software Link: https://downloads.wordpress.org/plugin/bulletproof-security.5.0.zip
- Version: Up to 5.1
- Tested on Ubuntu 18.04
The Catch Themes Demo Import WordPress plugin is vulnerable to arbitrary file uploads via the import functionality found in the ~/inc/CatchThemesDemoImport.php file, in versions up to 1.7, due to insufficient file type validation. This makes it possible for an attacker with administrative privileges to upload malicious files that can be used to achieve remote code execution.
- Vendor Homepage: https://wordpress.org/plugins/catch-themes-demo-import/
- Software Link: https://downloads.wordpress.org/plugin/catch-themes-demo-import.1.6.1.zip
- Version: Up to 1.7
- Tested on Ubuntu 18.04
The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the "orderby" GET parameter before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue
- Vendor Homepage: https://www.download-monitor.com/
- Software Link: https://downloads.wordpress.org/plugin/download-monitor.4.4.4.zip
- Version: Up to 4.4.4
- Tested on Ubuntu 20.04
GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via direct requests.
- Vendor Homepage: http://get-simple.info
- Software Link: https://github.com/GetSimpleCMS/GetSimpleCMS/archive/refs/tags/v3.3.4.zip
- Version: 3.3.4
- Tested on Ubuntu 20.04
python3 exploit.py Target_IP Target_Port CMS_path
The "Duplicate Post" WordPress plugin up to and including version 1.1.9 is vulnerable to SQL Injection. SQL injection vulnerabilities occur when client supplied data is included within an SQL Query insecurely. SQL Injection can typically be exploited to read, modify and delete SQL table data. In many cases it also possible to exploit features of SQL server to execute system commands and/ or access the local file system. This particular vulnerability can be exploited by any authenticated user who has been granted access to use the Duplicate Post plugin. By default, this is limited to Administrators, however the plugin presents the option to permit access to the Editor, Author, Contributor and Subscriber roles.
- pending submission
- Vendor Homepage: https://wordpress.org/plugins/copy-delete-posts/
- Software Link: https://downloads.wordpress.org/plugin/copy-delete-posts.1.1.9.zip
- Version: Up to 1.1.9
- Tested on Ubuntu 18.04
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks
- Vendor Homepage: https://www.plugins-market.com/
- Software Link: https://downloads.wordpress.org/plugin/wp-stats-manager.4.7.zip
- Version: Up to 4.7
- Tested on Ubuntu 18.04
The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issue.
- Vendor Homepage: https://registrationmagic.com/
- Software Link: https://downloads.wordpress.org/plugin/custom-registration-form-builder-with-submission-manager.5.0.1.5.zip
- Version: Up to 5.0.1.5
- Tested on Ubuntu 20.04
The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue.
- Vendor Homepage: https://webnus.net/modern-events-calendar/
- Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.6.1.0.zip
- Version: Up to 6.1
- Tested on Ubuntu 20.04
The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection.
- Vendor Homepage: https://de.wordpress.org/plugins/404-to-301/
- Software Link: https://downloads.wordpress.org/plugin/404-to-301.2.0.2.zip
- Version: Up to 2.0.2
- Tested on Ubuntu 20.04
The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.
- Vendor Homepage: https://www.getperfectsurvey.com/
- Software Link: https://web.archive.org/web/20210817031040/https://downloads.wordpress.org/plugin/perfect-survey.1.5.1.zip
- Version: Up to 1.5.1
- Tested on Ubuntu 20.04
The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting
- Vendor Homepage: https://wedevs.com/
- Software Link: https://downloads.wordpress.org/plugin/wp-user-frontend.3.5.25.zip
- Version: Up to 3.5.25
- Tested on Ubuntu 20.04
OpenEMR 5.0.0 and prior allows low-privilege users to upload files of dangerous types which can result in arbitrary code execution within the context of the vulnerable application.
The OpenEMR application allows users from all roles to upload files. However, the application does not whitelist only certain type of files (e.g. PDF, JPG, PNG, DOCX, etc). At the contary, any type of files can be uploaded to the filesystem via the application. While OpenEMR recommends during the installation to restrict access to the repository hosting uploaded files, unfortunately, such recommendations are too often ignored by users and can result in full compromise of the web server and its data.
- Vendor Homepage: https://www.open-emr.org/
- Software Link: https://sourceforge.net/projects/openemr/files/OpenEMR%20Current/5.0.0/openemr-5.0.0.zip/download
- Version: 5.0.0
- Tested on Windows 10
python3 exploit.py -T Target_IP -P Target_Port -U OpenEMR_path -u username -p password
Wordpress Plugin Secure Copy Content Protection and Content Locking < 2.8.2 - SQL-Injection (Unauthenticated)
The Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an SQL injection.
- Vendor Homepage: https://ays-pro.com/
- Software Link: https://downloads.wordpress.org/plugin/secure-copy-content-protection.2.8.1.zip
- Version: Up to 2.8.1
- Tested on Ubuntu 20.04
Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload form and accessing it in the images directory.
Open EMR is vulnerable to an unrestricted file upload vulnerability in super/manage_site_files.php. This is due to improper (non-existent), checks on the file submitted by the administrator. An authenticated user could use this vulnerability to escalate their privileges by uploaded a PHP web shell to execute system commands.
- Vendor Homepage: https://www.open-emr.org/
- Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip
- Version: Prior to 5.0.1.4
- Tested on Ubuntu 18.04
Authentication bypass vulnerability in portal/account/register.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker to access multiple confidential files.
- Vendor Homepage: https://www.open-emr.org/
- Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip
- Version: Prior to 5.0.1.4
- Tested on Ubuntu 18.04
An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.
- Vendor Homepage: https://www.open-emr.org/
- Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_7.zip
- Version: Prior to 5.0.2
- Tested on Ubuntu 18.04
- Credits to: https://raw.githubusercontent.com/Wezery/CVE-2019-14530/master/Path%20traversal%20and%20DoS.pdf
Trixbox 2.8.0.4 has OS command injection via shell metacharacters in the lang parameter to /maint/modules/home/index.php.
- Credits to: https://secur1tyadvisory.wordpress.com/2018/02/11/trixbox-os-command-injection-vulnerability-cve-2017-14535/
- Credits to: (Author of the link above: Sachin Wagh; Twitter: @tiger_tigerboy)
- Vendor Homepage: https://sourceforge.net/projects/asteriskathome/
- Software Link: https://sourceforge.net/projects/asteriskathome/files/trixbox%20CE/trixbox%202.8/trixbox-2.8.0.4.iso/download
- Version: 2.8.0.4
- Tested on: Xubuntu 20.04
python3 exploit.py [target_IP] [Target_Port] [Listen_IP] [Listen_Port]
Trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the lang parameter to /maint/modules/home/index.php.
- Credits to: https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/
- Credits to: (Author of the link above: Sachin Wagh; Twitter: @tiger_tigerboy)
- Vendor Homepage: https://sourceforge.net/projects/asteriskathome/
- Software Link: https://sourceforge.net/projects/asteriskathome/files/trixbox%20CE/trixbox%202.8/trixbox-2.8.0.4.iso/download
- Version: 2.8.0.4
- Tested on: Xubuntu 20.04
python3 exploit.py [target_IP] [target_Port]
Monstra CMS through 3.0.4 has an authenticated Remote Code Execution vulnerability due to a file upload vulnerability.
- Vendor Homepage: https://monstra.org/
- Software Link: https://monstra.org/monstra-3.0.4.zip
- Version: 3.0.4
- Tested on Ubuntu 20.04
python3 exploit.py -T Target_IP -P Target_Port -U CMS_PATH -u username -p password
Codiad 2.8.4 allows remote authenticated administrators to execute arbitrary code by uploading an executable file.
An authenticated attacker can upload an executable file, by using components/filemanager/controller.php as http://Ipaddr/components/filemanager/controller.php?action=upload&path=/var/www/html/data/projectname
- Vendor Homepage: http://codiad.com/
- Software Link: https://github.com/Codiad/Codiad/releases/tag/v.2.8.4
- Version: 2.8.4
- Tested on: Xubuntu 20.04
python3 exploit.py [target_IP] [target_port] [username] [password]
Codiad Web IDE through 2.8.4 allows PHP Code injection.
An unauthenticated attacker can inject PHP code before the initial configuration
that gets executed and therefore he can run arbitrary system commands on the server.
- Credits to: https://herolab.usd.de/security-advisories/usd-2019-0049/ (Tobias Neitzel)
- Vendor Homepage: http://codiad.com/
- Software Link: https://github.com/Codiad/Codiad/releases/tag/v.2.8.4
- Version: 2.8.4
- Tested on: Xubuntu 20.04 and Cent OS 8.3
python3 exploit.py [target_IP] [target_port]
A file upload restriction bypass vulnerability in Pluck CMS before 4.7.13 allows an admin privileged user to gain access in the host through the "manage files" functionality, which may result in remote code execution.
An authenticated attack can upload a .phar file by using http://IP/admin.php?action=files to gain a webshell.
- Vendor Homepage: Vendor Homepage: https://github.com/pluck-cms/pluck
- Software Link: https://github.com/pluck-cms/pluck/releases/tag/4.7.13
- Version: 4.7.13
- Tested on Xubuntu 20.04
python3 exploit.py Target_IP Target_Port Username