-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wordpress Plugin Catch Themes Demo Import cve-2021-39352 #15988
Conversation
documentation/modules/exploit/multi/http/wp_catch_themes_demo_import.md
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code looks good to me. Added a suggestion to mention authentication as a requirement for exploitation in docs / module description.
documentation/modules/exploit/multi/http/wp_catch_themes_demo_import.md
Outdated
Show resolved
Hide resolved
I've gotten a successful session a few times, but I'm getting a few failures as well:
Failure with HTTPTRACE output
Edit: It might be an issue with my setup since waiting a minute or two before retrying gives another session. Just wanted to check if you've run into this error before. |
I didn't experience this before, but can confirm the Being that I was able to confirm what you did, i adjusted docs and error handling to account for this |
I don't think the rspec issues are related to this module. |
Thanks for the changes! I modified the
|
Release NotesThis adds an exploit for the Catch Themes Demo Import Wordpress plugin for versions below |
This PR adds cve-2021-39352, an authenticated wordpress plugin RCE against Catch Themes Demo Import < 1.8
Pretty simple exploit, login, grab a nonce, upload payload, execute it. have a nice day.
Looks like the plugin doesn't have a good readme file though, so the check does find a file, but not the version. This is prob fine. I think in the future it may be a good idea to implement an authenticated
check_plugin_version_from_plugin_page
to check form the authenticated pages. Another PR on another day.Also went ahead and updated the wordpress themes, and plugins files.
Verification
use exploits/multi/http/wp_catch_themes_demo_import
set rhosts
set username
set password
run