CVE-2014-4725 PoC — WordPress MailPoet Newsletters插件远程文件上传漏洞

Source

https://github.com/pwdnx337/CVE-2014-4725

Associated Vulnerability

Title:WordPress MailPoet Newsletters插件远程文件上传漏洞 (CVE-2014-4725)
Description:The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/.

Description

exploiter

Readme

# CVE-2014-4725 mailpoet exploitation tool

this script is used to scan and exploit the cve-2014-4725 vulnerability (mailpoet/wysija newsletters) in wordpress.

## features
- scan mode > detect wordpress targets vulnerable to cve-2014-4725
- exploit mode > upload a zip payload to vulnerable targets

## installation
1. clone the repository:
   ```
   git clone https://github.com/username/CVE-2014-4725.git
   cd CVE-2014-4725
2. install dependencies:
   ```
    pip install requests
## usage

scan targets

python exploit.py --scan targets.txt

targets.txt contains a list of targets (one per line, without http://)


exploit targets

python exploit.py --exploit vuln.txt --payload file/zip.zip

vuln.txt contains targets that are already confirmed vulnerable

--payload is the zip file containing the theme/backdoor to be uploaded


output

vuln.txt > list of vulnerable targets

shell.txt > urls of uploaded shells

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!