CVE-2019-15858 PoC — WordPress Woody ad snippets插件输入验证错误漏洞

Source

https://github.com/orangmuda/CVE-2019-15858

Associated Vulnerability

Title:WordPress Woody ad snippets插件输入验证错误漏洞 (CVE-2019-15858)
Description:admin/includes/class.import.snippet.php in the "Woody ad snippets" plugin before 2.2.5 for WordPress allows unauthenticated options import, as demonstrated by storing an XSS payload for remote code execution.

Description

Unauthenticated Remote Code Execution at Woody Ad Snippets (PoC)

Readme

# CVE-2019-15858
**Unauthenticated Remote Code Execution at Woody Ad Snippets (PoC)**



An unauthenticated options import vulnerability combined with a stored XSS vulnerability can lead to remote code execution in the WordPress Woody Ad Snippets (90,000+ active installations).
Woody Ad Snippets is a plugin that allows administrators to insert any code, text, or ads by conditions in their blog: JS, CSS, HTML and even PHP code. It was prone in version 2.2.4 and below to two vulnerabilities that, when unintentionally triggered by the administrator in the back-end section of WordPress, would allow an attacker to run any PHP code in order to compromise the website and its database.

# Usage:
```
usage: python exploit.py sites.txt payload.json
```

[![Proof of Concept Video](https://img.youtube.com/vi/n3zDjJ-xJ_8/0.jpg)](https://www.youtube.com/watch?v=n3zDjJ-xJ_8)

# References:

* https://www.cvedetails.com/cve/CVE-2019-15858/
* https://wordpress.org/plugins/insert-php/

File Snapshot


 [4.0K]  /data/pocs/8559035d7d47adb5b074fc8ca8cc0acb280ef7e9
├── [1.5K]  exploit.py
├── [ 372]  payload.json
├── [1.9K]  rce.js
├── [ 983]  README.md
└── [  21]  Sites.txt

0 directories, 5 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!