Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-4439 PoC — WordPress 跨站脚本漏洞

Source
https://github.com/d0rb/CVE-2024-4439
Associated Vulnerability
Title:WordPress 跨站脚本漏洞 (CVE-2024-4439)
Description:WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that have the comment block present and display the comment author's avatar.
Description
The provided exploit code leverages a stored Cross-Site Scripting (XSS) vulnerability (CVE-2024-4439) in WordPress Core versions up to 6.5.1.
Readme

<div align="center">

[![Profile Visitors](https://komarev.com/ghpvc/?username=d0rb&label=Visitors&color=0e75b6&style=flat)](https://komarev.com/ghpvc/?username=d0rb)

 #  🇮🇱  **#BringThemHome #NeverAgainIsNow**   🇮🇱

**We demand the safe return of all citizens who have been taken hostage by the terrorist group Hamas. We will not rest until every hostage is released and returns home safely. You can help bring them back home.
https://stories.bringthemhomenow.net/**


# CVE-2024-4439 Exploit: Unauthenticated Stored Cross-Site Scripting Vulnerability in WordPress Core

🔐 **CVE ID:** CVE-2024-4439

📝 **Description:**
A significant security vulnerability has been identified in WordPress Core versions up to 6.5.1, tracked as CVE-2024-4439. This vulnerability is a stored Cross-Site Scripting (XSS) flaw, allowing attackers to inject harmful web scripts through the Avatar block. The flaw arises due to insufficient output escaping of user display names, enabling both authenticated and unauthenticated attackers to execute arbitrary PHP commands.

🛠️ **Exploit Code:**
The provided exploit code demonstrates the exploitation of CVE-2024-4439. By injecting a crafted payload into the Avatar block, the attacker can execute arbitrary PHP commands on the target server. This particular exploit showcases the injection of a reverse shell payload, facilitating unauthorized access to the server.

🔍 **Credits:** 
This information was sourced from [SecurityOnline.info](https://securityonline.info/cve-2024-4439-unauthenticated-stored-cross-site-scripting-vulnerability-in-wordpress-core/#/) by Do Son.

</div>
File Snapshot

 [4.0K]  /data/pocs/097dce9cd970a802dda4b58b03d0cdb19e871967
├── [1.4K]  PoC.py
└── [1.6K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →