Metasploit-framework: WordPress mixin needs to be updated for 5.x

Created on 7 Feb 2020 · 4Comments · Source: rapid7/metasploit-framework

The following changes are known:

_wpnonce has been renamed to nonce
Plugin editing API has changed
Plugin uploading?

The following files will need changes:

All these files are suspect:

wvu@kharak:/rapid7/metasploit-framework:feature/wordpress$ git grep -l _wpnonce
lib/msf/core/exploit/http/wordpress/admin.rb
lib/msf/core/exploit/http/wordpress/helpers.rb
modules/auxiliary/scanner/http/wp_arbitrary_file_deletion.rb
modules/auxiliary/scanner/http/wp_subscribe_comments_file_read.rb
modules/exploits/multi/http/wp_crop_rce.rb
modules/exploits/multi/http/wp_db_backup_rce.rb
modules/exploits/multi/http/wp_ninja_forms_unauthenticated_file_upload.rb
modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb
wvu@kharak:/rapid7/metasploit-framework:feature/wordpress$

12853

bug library not-stale

Source

wvu-r7

Most helpful comment

Gotcha, you know who's probably gonna be assigned to this 🥇

ccondon-r7 on 12 Apr 2020

😄2

All 4 comments

@wvu-r7 I assume this still needs to be done?

ccondon-r7 on 12 Apr 2020

It does. We can't write exploits using this library functionality for newer WordPress versions.

If plugin uploading doesn't work for 5.x, then post-auth RCE against WordPress would be "broken," as this is the most common way we shell a target. There are other ways, but we haven't implemented them in the library.

wvu-r7 on 12 Apr 2020

Gotcha, you know who's probably gonna be assigned to this 🥇

ccondon-r7 on 12 Apr 2020

😄2

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.