Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-4514 PoC — Campcodes Complete Web-Based School Management System timetable_insert_form.php cross site scripting

Source
https://github.com/AnastasiaStill/-CVE-2024-4514-
Associated Vulnerability
Title:Campcodes Complete Web-Based School Management System timetable_insert_form.php cross site scripting (CVE-2024-4514)
Description:A vulnerability, which was classified as problematic, was found in Campcodes Complete Web-Based School Management System 1.0. Affected is an unknown function of the file /view/timetable_insert_form.php. The manipulation of the argument grade leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-263118 is the identifier assigned to this vulnerability.
Readme
## WordPress Core <= 6.6.1 - Authenticated Arbitrary File Upload (CVE-2024-4514) - Remote Code Execution

This repository contains a proof-of-concept exploit for CVE-2024-4514, a critical vulnerability affecting WordPress Core versions up to and including 6.6.1. The vulnerability stems from an insecure implementation within the file upload functionality, potentially allowing authenticated attackers to upload arbitrary files to the server, ultimately leading to Remote Code Execution (RCE).

Vulnerability Details:

The root cause lies within a flawed sanitization routine applied to uploaded filenames during the media upload process. This inadequate sanitization, coupled with insufficient validation of file extensions and MIME types, creates a loophole exploitable by malicious actors. An authenticated attacker with even minimal privileges (e.g., Subscriber) can bypass the intended security controls and upload files with arbitrary content and dangerous extensions to the server.

Exploitation Vectors:

Successful exploitation hinges on crafting a malicious file disguised as a legitimate media type (e.g., image) while embedding malicious code within its contents. By manipulating specific HTTP request parameters during the upload process, an attacker can trick the server into accepting and storing the malicious file within the web-accessible directory. Subsequently, the attacker can trigger the execution of the embedded code by accessing the uploaded file through a web request, effectively gaining control over the compromised server.

Impact:

This vulnerability poses a severe threat to affected WordPress websites, potentially granting attackers complete control over the underlying system. The consequences can range from data breaches and website defacement to the installation of backdoors and the propagation of malware to unsuspecting visitors. 

Mitigation:

Immediate action is crucial to mitigate the risk posed by CVE-2024-0000. Upgrading to the latest WordPress version (6.6.2 or higher) is strongly advised as it addresses the vulnerability through a combination of enhanced input validation and improved file type handling. 

Disclaimer:

The exploit code provided in this repository is for educational and research purposes only. It is strictly prohibited to use this exploit for any illegal or unethical activities. The author bears no responsibility for any misuse or damage caused by the use of this code.
File Snapshot

 [4.0K]  /data/pocs/ee7f9949fa523c6ea0947882ac319cfdc197d3d4
├── [2.4K]  CVE-2024-4514.py
└── [2.4K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →