This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Unauthenticated RCE via input validation error in `class.import.snippet.php`. <br>π₯ **Consequences**: Attackers can execute arbitrary code on the server.β¦
π‘οΈ **Root Cause**: Input validation error in the options import functionality. <br>π **CWE**: Not explicitly listed, but involves **Stored XSS** leading to **RCE**.β¦
π¦ **Affected**: WordPress Plugin **Woody Ad Snippets**. <br>π **Versions**: **< 2.2.5** (specifically 2.2.4 and below). <br>π **Scale**: 90,000+ active installations at risk. π
Q4What can hackers do? (Privileges/Data)
π» **Capabilities**: **Remote Code Execution (RCE)**. <br>π **Privileges**: Unauthenticated attackers can trigger the exploit. Once triggered, they gain server-level access.β¦
β‘ **Threshold**: **LOW**. <br>π **Auth**: **Unauthenticated** initial vector. <br>βοΈ **Config**: Requires the admin to unintentionally trigger the stored payload in the backend.β¦
π **Public Exploit**: **YES**. <br>π **PoCs**: Available on GitHub (GeneralEG, orangmuda). <br>π§ **Automation**: Nuclei templates exist for easy scanning. Wild exploitation is highly likely. π£
Q7How to self-check? (Features/Scanning)
π **Check**: Scan for **Woody Ad Snippets** plugin. <br>π **Version**: Check if version is **< 2.2.5**. <br>π οΈ **Tools**: Use Nuclei or manual GitHub PoC checks.β¦