Unauthenticated Arbitrary File Upload in WPvivid Backup & Migration plugin

This repository is a small self-contained lab and proof-of-concept for a web XSS issue involving multipart form parsing and charset-based payload decoding. The structure is simple: a docker-compose stack launches an OWASP ModSecurity CRS nginx proxy in front of a custom Flask application; flask/Dockerfile and flask/requirements.txt build the backend; flask/app.py contains the vulnerable logic; POC.txt contains a raw exploit request; README.md explains how to run the lab and trigger the issue. The core vulnerability is in flask/app.py. The /submit route manually parses multipart/form-data using Python's email parser, reads each part's declared charset, decodes attacker-controlled bytes accordingly, and stores the decoded values in a dictionary. Those values are then rendered into HTML using render_template_string with '{{ value | safe }}', explicitly disabling escaping. The provided PoC abuses this by sending a multipart field with Content-Type charset=utf-7 and a UTF-7 encoded <script> payload. After decoding, the payload becomes executable JavaScript in the browser. The sample payload reads the hidden flag from the page element with id 'secret-flag' and displays it. Main exploit capability: client-side code execution in the browser of anyone viewing the rendered response page, demonstrated as DOM data theft. This is a web-to-browser attack path rather than server-side code execution. The proxy/WAF context suggests the lab is intended to demonstrate a WAF bypass angle, where UTF-7 encoded multipart content may evade simplistic filtering while still being decoded by the backend. Repository purpose: to provide a reproducible Docker-based environment for demonstrating and testing this XSS/WAF-bypass scenario. It is a real exploit PoC rather than a scanner or detection script, but it remains proof-of-concept level because the payload is fixed and only demonstrates alert-based exfiltration of a lab flag.

This repository is a small standalone Python proof-of-concept exploit for CVE-2026-1357 affecting the WPvivid Backup & Migration WordPress plugin. The repository contains one main exploit script (CVE-2026-1357.py), a README with vulnerability explanation and lab instructions, a docker-compose file for building a local vulnerable WordPress environment, and a requirements file listing requests and pycryptodome. The exploit script performs two main stages. First, it generates a crafted migration/backup payload that abuses the plugin's decryption failure path by encrypting attacker-controlled JSON with an all-null AES key and IV. The JSON includes a traversal filename ../uploads/<uuid>.php and base64-encoded PHP shell content. This is sent to the target as a POST request with wpvivid_action=send_to_site and wpvivid_content=<payload>. Second, after upload, the script constructs the public shell URL under /wp-content/uploads/<uuid>.php?cmd=<command> and sends a request to execute an arbitrary system command. The shell payload is a minimal PHP webshell using system($_GET["cmd"]). The exploit is operational rather than just demonstrative because it includes a working payload and automatic command execution, but it is not part of a larger exploitation framework and does not provide advanced payload customization beyond a supplied command string. The attack vector is remote web/network exploitation against an exposed WordPress site. The README indicates the vulnerable condition requires WPvivid Backup & Migration version 0.9.123 or earlier and that the plugin's migration listener must be initialized by generating a key in the plugin UI. The docker-compose lab provisions MariaDB and WordPress, exposes WordPress on localhost:8080, and mounts a manually staged vulnerable plugin directory for testing.

Repository contains a single Python exploit tool (`CVE-2026-1357.py`) plus README, license, and requirements. The script targets CVE-2026-1357 in the WordPress WPvivid Backup & Migration plugin (≤ 0.9.123), exploiting a flawed crypto/session handling path where AES is effectively initialized with a null key/IV after RSA decrypt failure. Core capability is unauthenticated arbitrary file write/upload: it builds a compact JSON describing the target filename/path (`name`) and file content (`data` as base64), encrypts it with AES-128-CBC using all-zero key and IV, wraps it with a fixed '000' field and a 16-hex-digit ciphertext length, base64-encodes the blob, and sends it as `wpvivid_content` alongside `wpvivid_action=send_to_site` in an HTTP POST to the target base URL. The tool provides two interactive modes: (1) `mood1` payload generator (accepts content via single-line, multi-line, or local file; writes `wpvivid_payload.txt`; optionally runs a concurrent mass mode against a list of targets), and (2) `mood2` single-target tester that sends a provided payload and verifies success by requesting `/<wp-content/wpvividbackups>/<filename>`. Successful hits are logged to `Nx_.txt`. TLS verification is disabled and requests use a short timeout (3s) with concurrency via `ThreadPoolExecutor` for mass testing. Overall purpose: practical exploitation and validation of arbitrary file upload/write (potentially leading to RCE if a PHP payload is written to a web-accessible location).

Repository purpose: a small lab + PoC exploit for CVE-2026-1357, described as an unauthenticated file upload leading to RCE in the WPvivid WordPress plugin via a cryptographic logic failure combined with directory traversal. Structure: - `README.md`: explains the vulnerability, provides steps to build a Dockerized WordPress+WPvivid environment, and shows how to run the PoC (`python3 poc.py -u <url> -c <cmd>`). - `docker-compose.yml`: spins up a WordPress container (port 80) and a MariaDB container; mounts a local `wpvivid-backuprestore` plugin directory into WordPress. - `poc.py`: the actual exploit. Exploit flow (poc.py): 1) Generates a random shell name `renad_<10 chars>.php` and sets an upload path of `../uploads/<name>.php` (path traversal). 2) Builds JSON parameters including `name` (upload path) and `data` (base64-encoded PHP webshell), plus size/md5 metadata. 3) Encrypts the JSON using AES-CBC with an all-zero key and IV, then wraps it in a custom packet format with a fake key label (`RENAD-PRIVATE-KEY`) and base64-encodes the whole packet. 4) Sends an unauthenticated HTTP POST to the target base URL with form fields `wpvivid_action=send_to_site` and `wpvivid_content=<payload>`. 5) Verifies RCE by requesting `/wp-content/uploads/<name>.php?cmd=<verify_cmd>` and checking for a marker string in the response. Capabilities: - Unauthenticated remote file write (PHP) into WordPress uploads directory (via traversal). - Remote command execution through a simple GET-parameter webshell. Notes: - No interactive shell management; it is a straightforward upload-and-execute PoC with a hardcoded PHP payload and basic verification, making it OPERATIONAL rather than a full framework/weaponized tool.

Repository purpose: a local-only Docker lab plus a Python PoC for CVE-2026-1357 affecting the WordPress plugin WPvivid Backup & Migration. Structure: - docker-compose.yml: Builds two parallel WordPress stacks for comparison: - Vulnerable: WordPress 6.4.3 + WPvivid plugin 0.9.123 exposed on 127.0.0.1:8081. - Patched: WordPress 6.4.3 + WPvivid plugin 0.9.124 exposed on 127.0.0.1:8082. Each stack includes a MySQL 8.0.36 container and a seeding container that installs WordPress and the specified plugin version. - scripts/seed-wp.sh: Idempotent seeding script using WP-CLI to download/install WordPress, install/activate the WPvivid plugin at a pinned version, and ensure wp-content/uploads and WPvivid directories exist and are writable. - poc.py: Network exploit script. It fingerprints WPvivid by requesting /wp-content/plugins/wpvivid-backuprestore/readme.txt, then sends an unauthenticated POST to the site root with parameters wpvivid_action=send_to_site and wpvivid_content=<hardcoded payload>. On success, it expects a PHP webshell to be written to /wp-content/uploads/pwn_remote.php and then performs command execution via GET requests using the cmd query parameter. Includes an interactive loop to run arbitrary commands. - requirements.txt: requests dependency. - readme.md: Safety notes and instructions for running the lab locally; references NVD and an original PoC. Exploit capabilities: - Unauthenticated remote file write/upload via WPvivid receive mechanism (as implemented in vulnerable versions). - Remote command execution by interacting with the dropped PHP webshell in the uploads directory. Notable operational assumptions called out by the code/README: - The WPvivid 'Receive backup from another site' feature must be enabled and the receive key must be valid (not expired). - If the upload succeeds but commands do not execute, the target may block PHP execution in uploads (common hardening).

Repository contains a single Python exploit tool targeting CVE-2026-1357 in the WordPress plugin WPvivid Backup & Migration (wpvivid-backuprestore) affecting versions <= 0.9.123. The exploit is unauthenticated and chains (1) a crypto fail-open condition (phpseclib v1 behavior when OpenSSL private decrypt fails, resulting in a NULL/zero AES key) with (2) a path traversal in a `name` field to escape the intended backup directory and write a PHP webshell into a web-accessible location (documented as `/wp-content/uploads/<shell>.php`). Key capabilities implemented/advertised: - Target scanning and fingerprinting: detects WordPress/WPvivid and fingerprints plugin version via the plugin readme (`/wp-content/plugins/wpvivid-backuprestore/readme.txt`). - Exploitation: crafts an AES-encrypted payload using a 16-byte null key and submits it to WPvivid using parameters like `wpvivid_action=send_to_site` and `wpvivid_content=...`, leveraging traversal to place the shell. - RCE verification and interaction: invokes the uploaded shell with `?cmd=<os command>` (example `?cmd=id`). - Post-exploitation automation: runs a set of reconnaissance commands (e.g., id/whoami/uname/hostname) and attempts to read sensitive files such as `/etc/passwd` and `wp-config.php`, then extracts secrets (DB creds/API keys/AWS keys) from output. - Operational features: multi-threaded mass scanning, proxy support (e.g., Burp at http://127.0.0.1:8080), WAF/403 bypass techniques (UA rotation, header spoofing, path normalization/double encoding), and markdown report generation. Repository structure: - `cve_2026_1357.py`: main entry point; scanner + exploit + optional post-exploit + reporting. - `README.md`: usage, options, and high-level vulnerability chain explanation. - `dorks.md`: Shodan/Google/Censys/FOFA/ZoomEye discovery queries and a sample Nuclei detection template. - `requirements.txt`: Python deps (requests, pycryptodome, urllib3). Overall purpose: provide an end-to-end tool to discover vulnerable WPvivid installations and achieve unauthenticated RCE by uploading a PHP webshell via a cryptographic fail-open + path traversal chain, then optionally automate reconnaissance and evidence/report creation.

Repository contains an operational Python PoC exploit for CVE-2026-1357 affecting the WordPress plugin WPvivid Backup & Migration (wpvivid-backuprestore) <= 0.9.123. The exploit is unauthenticated and chains (1) a cryptographic fail-open where a malformed RSA key causes openssl_private_decrypt() to return false and the plugin/crypto stack effectively uses an AES-128-CBC null key and null IV, with (2) a path traversal in the decrypted JSON 'name' field to write outside the intended directory. Structure: - poc.py: Main exploit. Generates an AES-CBC encrypted JSON blob (null key/IV) containing a base64-encoded PHP webshell and a traversal path '../uploads/<rand>.php'. Sends it as wpvivid_content in a POST to the target site root with wpvivid_action=send_to_site, then verifies RCE by requesting /wp-content/uploads/<rand>.php?cmd=<cmd>. - README.md: Explains vulnerability chain, prerequisites (wpvivid_api_token generated and valid), and usage examples. - docker-compose.yml: Provides a local WordPress + MariaDB lab and mounts the vulnerable plugin directory into the container. - requirements.txt: Python dependencies (requests, pycryptodome). Capabilities: - Unauthenticated arbitrary file upload/write via crafted encrypted payload. - Remote code execution by planting a PHP webshell in a web-accessible uploads directory and executing arbitrary OS commands via the cmd query parameter. Notable constraints: - Exploit requires the WPvivid Auto-Migration key (wpvivid_api_token) to have been generated and not expired, as noted in the README, though the PoC itself does not fetch or validate the token; it assumes the vulnerable code path is enabled.

Repository contains a single Python exploit script (`wpvivi.py`) and a short README with usage and a technical explanation. Core capability: unauthenticated (as written) remote file write leading to RCE against a vulnerable WPvivid Backup WordPress plugin by abusing (1) a cryptographic key-handling flaw where a failed RSA decrypt yields a false/empty key that is treated as null bytes, enabling the attacker to encrypt a valid payload with an all-\x00 AES-128 key in ECB mode, and (2) a directory traversal in the filename field to write outside the intended backup directory. Exploit flow in `WPvividExploit.exploit()`: 1) Checks `GET <target>/wp-admin/admin-ajax.php` for HTTP 200 as a basic WordPress reachability test. 2) Crafts a traversal filename: `../../../../wp-content/uploads/<webshell>`. 3) Builds an encrypted message where plaintext is `filename + "\x00" + php_code`, padded to 16 bytes, encrypted with AES-ECB using a 16-byte null key. The message format is: `[len_key_hex(2 bytes)] + [len_data_hex(16 bytes)] + [encrypted_data_hex]` (the script hardcodes key length as `00` and encodes data length as a 16-hex-digit field). 4) Base64-encodes the message and sends it as `wpvivid_content` in a POST to `/wp-admin/admin-ajax.php` with form fields: `action=wpvivid_action` and `wpvivid_action=send_to_site`. 5) If the POST returns 200, it assumes the file was written and then requests `GET <target>/wp-content/uploads/<webshell>?cmd=whoami` to validate command execution. Payload: by default, the script uploads a PHP webshell that executes arbitrary OS commands via `system()` from either GET or POST parameter `cmd`. The README also documents how to supply a custom webshell filename (`--shell`) or custom PHP code (`--code`). Notable targeting notes: README claims the issue is patched in WPvivid version 0.9.124 by rejecting false/empty keys and adding an extension whitelist (zip,gz,tar,sql).