Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2015-6668 PoC — WordPress Job Manager插件安全漏洞

Source
https://github.com/nika0x38/CVE-2015-6668
Associated Vulnerability
Title:WordPress Job Manager插件安全漏洞 (CVE-2015-6668)
Description:The Job Manager plugin before 0.7.25 allows remote attackers to read arbitrary CV files via a brute force attack to the WordPress upload directory structure, related to an insecure direct object reference.
Description
A small Rust CLI that reproduces the information-disclosure pattern associated with CVE-2015-6668 (Job Manager <= 0.7.25).
Readme
# CVE-2015-6668 - Job Manager IDOR

[![Rust](https://img.shields.io/badge/rust-%23000000.svg?style=for-the-badge&logo=rust&logoColor=white)](https://www.rust-lang.org/)
[![Security](https://img.shields.io/badge/Security-CVE--2015--6668-red?style=for-the-badge)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6668)

A small Rust CLI that reproduces the information-disclosure pattern associated with CVE-2015-6668 (Job Manager <= 0.7.25). The tool enumerates typical WordPress upload paths for given years, months and common file extensions to detect publicly accessible files that may indicate an insecure direct object reference (IDOR) / insecure file exposure.

## Vulnerability Overview

CVE-2015-6668 affects Job Manager (<= 0.7.25). The vulnerability allows an attacker to enumerate or access uploaded files (attachments) due to insufficient access controls on user-uploaded resources. In practice this can expose sensitive documents, images or scripts that were expected to be private.

### Technical Details

- Target: Job Manager installations using predictable upload directories (e.g. `/wp-content/uploads/<year>/<month>/filename.ext`).
- Attack pattern: brute-force / enumerate common year/month folders and filename variants to locate accessible files.
- Indicators: HTTP 200 responses for constructed URLs indicate a publicly reachable file.
- This tool performs simple GET requests and reports the first discovered public file (by default).

### Description

The vulnerability stems from weak access control on uploaded content. If an application stores files in predictable public locations without proper authorization checks, an attacker can enumerate likely file paths and retrieve files directly via HTTP. The exploit vector is essentially an informed crawler that constructs possible upload URLs (year/month/file.ext) and checks for a 200 OK response.

## Usage

Build the project (Rust and Cargo are required):

```bash
cargo run -- -u http://target.com -f <file-name>
```

Run the command. Required arguments:
- `-u`, `--url` : base URL of the target (e.g. `http://example.com`).
- `-f`, `--filename` : filename to search for (spaces will be replaced with `-`).

Optional:
- `--start-year` : start year for enumeration (default: 2014).
- `--end-year` : end year for enumeration (default: current year).

Notes:
- The tool stops and exits immediately when the first file is found and prints the URL.
- The request User-Agent is set to mimic a modern Chrome browser by default.

## Disclaimer

This tool is for educational and authorized penetration testing purposes only. Use responsibly and only on systems you own or have explicit permission to.
File Snapshot

 [4.0K]  /data/pocs/e31cb3ded29aea5890058814a15969c842705484
├── [ 47K]  Cargo.lock
├── [ 218]  Cargo.toml
├── [2.6K]  README.md
└── [4.0K]  src
    └── [2.7K]  main.rs

2 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →